Skip to content

Add command to audit dependencies#236

Merged
micprog merged 7 commits intopulp-platform:masterfrom
tenstorrent:audit
Jan 12, 2026
Merged

Add command to audit dependencies#236
micprog merged 7 commits intopulp-platform:masterfrom
tenstorrent:audit

Conversation

@mrogenmoserTT
Copy link
Copy Markdown
Contributor

@mrogenmoserTT mrogenmoserTT commented Dec 11, 2025

No description provided.

@micprog micprog requested review from fischeti and paulsc96 December 11, 2025 11:11
@paulsc96
Copy link
Copy Markdown

paulsc96 commented Dec 11, 2025
edited
Loading

I tested it on Cheshire, it works for me.

Only slight gripe is that conflicts are reported if a remote exists with and without .git suffix in different dependencies; perhaps this can be worked around:

Conflict: common_cells            -> check parents

$ bender parents common_cells
Parents found:
    cheshire               requires: ^1.38.0  at `https://github.com/pulp-platform/common_cells.git`
    apb                    requires: ^1.16.2  at `https://github.com/pulp-platform/common_cells.git`
    axi                    requires: ^1.37.0  at `https://github.com/pulp-platform/common_cells.git`
    axi_llc                requires: ^1.21.0  at `https://github.com/pulp-platform/common_cells.git`
    axi_riscv_atomics      requires: ^1.11.0  at `https://github.com/pulp-platform/common_cells.git`
    axi_rt                 requires: ^1.32.0  at `https://github.com/pulp-platform/common_cells.git`
    axi_stream             requires: ^1.21.0  at `https://github.com/pulp-platform/common_cells.git`
    axi_vga                requires: ^1.33.0  at `https://github.com/pulp-platform/common_cells`
    clic                   requires: ^1.26.0  at `https://github.com/pulp-platform/common_cells.git`
    clint                  requires: ^1.25.0  at `https://github.com/pulp-platform/common_cells.git`
    cva6                   requires: ^1.23.0  at `https://github.com/pulp-platform/common_cells`
    fpnew                  requires: ^1.21.0  at `https://github.com/pulp-platform/common_cells.git`
    fpu_div_sqrt_mvp       requires: ^1.13.1  at `https://github.com/pulp-platform/common_cells.git`
    idma                   requires: ^1.33.0  at `https://github.com/pulp-platform/common_cells.git`
    irq_router             requires: ^1.21.0  at `https://github.com/pulp-platform/common_cells.git`
    obi                    requires: ^1.38.0  at `https://github.com/pulp-platform/common_cells.git`
    obi_peripherals        requires: ^1.37.0  at `https://github.com/pulp-platform/common_cells.git`
    opentitan_peripherals  requires: ^1.25.0  at `https://github.com/pulp-platform/common_cells.git`
    register_interface     requires: ^1.21.0  at `https://github.com/pulp-platform/common_cells.git`
    riscv-dbg              requires: ^1.24.0  at `https://github.com/pulp-platform/common_cells.git`
    serial_link            requires: ^1.28.0  at `https://github.com/pulp-platform/common_cells.git`
    unbent                 requires: ^1.29.0  at `https://github.com/pulp-platform/common_cells.git`

@mrogenmoserTT mrogenmoserTT force-pushed the audit branch 2 times, most recently from 6140185 to c4bed3d Compare December 11, 2025 15:37
fischeti
fischeti reviewed Jan 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@fischeti fischeti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice feature! I tried it out in picobello, and it seems to work as intended apart from few examples (see below):

I think the actual output could be a bit improved since it is not immediately clear how to interpret the output and what action to take. To give some examples:

Conflict: tech_cells_generic   -> check parents
Up-to-date: tech_cells_generic   @ 0.2.13

here it says there is a conflict (which sounds bad), but then on the next line says it's up to date.

 Conflict: hwpe-ctrl   -> check parents
 Auto-update: hwpe-ctrl   2.0.0 -> 2.1.0

Conflict: riscv-dbg   -> check parents
Update: riscv-dbg   0.8.1 -> 0.9.0

Those are somehow conflicting, no?

Auto-update: cluster_icache   0.2.0 -> 0.3.1

Shouldn't this be a breaking version?

I think the improve we could improve the command by writting out the cause and action e.g.:

Audit: audited `axi_stream` -> @ 0.1.1 is up-to-date

Audit: audited `clic` -> consider *upgrading* 2.0.0 to 3.0.0

Audit: idma *failed* -> run `bender cargo parents idma` to check versions
     - cause: `idma` uses hash instead of version -> consider switching to versioned release

Audit: audited cluster_icache -> *auto-upgrade* 0.2.0 -> 0.3.1 with `bender update cluster_icache`

This is more of a nice to have. We can also merge it like this, and then maybe later I can lay my hands on it🤓

I also have some minor code suggestions below

@mrogenmoserTT
Copy link
Copy Markdown
Contributor Author

mrogenmoserTT commented Jan 9, 2026

@paulsc96 I added a flag to ignore URL conflicts when running audit, but I think checking these conflicts and parsing for git@/https:// and .git differences is up to the user.
@fischeti I addressed your feedback, ensuring hash dependencies are correctly identified instead of indicating the auto-update for the case you pointed out, and adjusting the output for a cleaner representation.

@micprog micprog requested a review from fischeti January 9, 2026 17:34
fischeti
fischeti approved these changes Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@fischeti fischeti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now!

@micprog micprog merged commit dad1968 into pulp-platform:master Jan 12, 2026
7 checks passed
@mrogenmoserTT mrogenmoserTT deleted the audit branch January 12, 2026 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fischeti fischeti fischeti approved these changes

@paulsc96 paulsc96 Awaiting requested review from paulsc96

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mrogenmoserTT @paulsc96 @fischeti @micprog