There are many ways to get the resolved dependencies of a project. Some of these are:

1. Run the package manager(s) "install" command to fetch and install locally the dependencies, then scan them
2. Run the package manager(s) command to generate lockfiles then parse and collect
3. Collect the deps from parsing an existing lockfile or lockfile-like file
4. Run the package manager(s) command to resolve the dependencies, then parse the output or files generated from these commands
5. Run some tool to simulate the dependency resolution, then parse the output or files generated from these commands
6. Run a build and trace it with tracecode to collect fetched archives, and used files

Unless there is a locked, reproducible build process (backed by committed lockfiles as in 3.), all approaches are approximations of the dependency resolution. (Short of yet another approach with a binary, deployed code analysis)

Yet, 1,2,4, and 5 all require some extensive setup or guessing to setup a build environment as it is arbitrarily hard to reproduce the build environments reliably at scale.

Therefore, I propose a different approach here:

• Check if there are lockfiles available, optionally fail when not
• When there is no lockfile available, generate one by providing instructions and tools to run this IN THE CONTEXT OF THE BUILD, by and with the project team intimate understanding of this build
• If there is no such lockfile in the ecosystem (such as Maven), invent one from existing or new tools and promote conventions on naming, format and location
• Then always parse a pre-computed, lockfile
• Ensure that we merge lockfiles with their parent package manifest (in SCTK)

Separately, continue supporting dependency resolution simulation with all its problems with the various inspectors.

Some insights and concrete todos:

• JavaScript:
  • Create a yarn.lock lock file with yarn #3
  • Create lock file with pnpm #5
  • Create a package-json.lock lock file with npm #4
• iOS:
  • Create SwiftPM lockfile #12
  • Create cocoapods lockfile #10
• Python:
  • Create Python frozen requirements file #8
    • this may need a specific convention as a requirements file is not your typical lockfile-only format
• .NET and NuGet:
  • Create .Net lock file with dotnet restore and other built in commands #11

See #13 for package types beyond this first batch