Skip to content

feat: add --print-graph-with-errors flag to return complete dep-graphs as JSONL #6477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thomasschafer wants to merge 1 commit into from
Closed

feat: add --print-graph-with-errors flag to return complete dep-graphs as JSONL #6477

thomasschafer wants to merge 1 commit into from
+383 −47

Conversation

@thomasschafer
Copy link
Contributor

@thomasschafer thomasschafer commented Jan 26, 2026
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High) - n/a
  • Highlights breaking API changes (if applicable) - none
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___) - n/a
  • Includes product update to be announced in the next stable release notes - n/a

What does this PR do?

This PR adds a new --print-graph-with-errors flag, which is almost identical to --print-effective-graph-with-errors except that the graph is the "complete" dep-graph rather than the "effective" graph. This is required for us to bring uv support to the sbom CLI command.

I have also done a small amount of refactoring to help with the number of print-graph flags that are now available, but I still think we could consider further refactoring in future: for instance, perhaps we could have a single --print-graph flag with options to toggle on the graph being "effective", including errors, and being in legacy vs JSON format. However this would take a lot of work and would be somewhat risky as it would require coordinated changes across multiple plugins, so I was reluctant to make that change right now - happy to hear any thoughts.

How should this be manually tested?

Build the CLI on this branch, and run <path/to/cli> test --print-graph-with-errors against some projects, possibly with --all-projects. You should see the graph printed as expected, but importantly in comparison to --print-effective-graph-with-errors, the graph will have all transitive dependencies.

What's the product update that needs to be communicated to CLI users?

None

@thomasschafer thomasschafer force-pushed the feat/permit-graphs-to-be-returned-unpruned-as-jsonl branch from ab5e9c7 to 6cd3742 Compare January 26, 2026 16:49
thomasschafer
thomasschafer commented Jan 26, 2026
View reviewed changes
src/lib/snyk-test/common.ts
});
}

export function shouldPrintDepGraph(opts: Options): boolean {
Copy link
Contributor Author

@thomasschafer thomasschafer Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was moved down and modified slightly - see shouldPrintDepGraphLegacy

snyk-tim
snyk-tim reviewed Jan 26, 2026
View reviewed changes
src/lib/snyk-test/index.js
Comment on lines +62 to +65
// Some plugins e.g. Maven explicitly check for print-graph
if (shouldPrintDepGraphWithErrors(options)) {
options['print-graph'] = true;
}
Copy link
Contributor

@snyk-tim snyk-tim Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me think this option might be better expressed as an additional argument that controls whether errors are shown.

Does the maven plugin also look for --print-effective-graph as well as --print-graph?

Copy link
Contributor Author

@thomasschafer thomasschafer Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the maven plugin also look for --print-effective-graph as well as --print-graph?

No it doesn't - see here

This makes me think this option might be better expressed as an additional argument that controls whether errors are shown.

Yes I think this would be nice - presumably we'd want to do the same with --print-effective-graph-with-errors too, i.e. we'd have a new flag like --include-print-graph-errors which could be used with either --print-graph or --print-effective-graph (and we'd get rid of the --print-effective-graph-with-errors flag)? What do you think?

Copy link
Contributor

@snyk-tim snyk-tim Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that errors are required to be output for two different graphs it makes sense to switch to something like --include-print-graph-errors.

One downside though, is that I wouldn’t expect adding --include-print-graph-errors to --print-graph to also change the output format from legacy to JSON.

@thomasschafer
Copy link
Contributor Author

thomasschafer commented Jan 27, 2026

Closing for now as we are considering alternative approaches that unify the printing flag (e.g. a new --print-structured-graph flag), with the output as JSONL and errors always included, and with an additional flag to determine whether the graph should be "effective" or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snyk-tim snyk-tim snyk-tim left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thomasschafer @snyk-tim