--- title: pack resolve-dependencies versions: fpt: '*' ghae: '*' ghec: '*' ghes: '*' topics: - Advanced Security - Code scanning - CodeQL type: reference product: '{% data reusables.gated-features.codeql %}' autogenerated: codeql-cli intro: |- [Experimental] [Plumbing] Compute the set of required dependencies for this QL pack. redirect_from: - /code-security/codeql-cli/manual/pack-resolve-dependencies --- {% data reusables.codeql-cli.man-pages-version-note %} ## Synopsis ```shell copy codeql pack resolve-dependencies ... -- ``` ## Description \[Experimental] \[Plumbing] Compute the set of required dependencies for this QL pack. This command searches the configured registries for required dependencies and returns the list of resolved dependencies. Available since `v2.6.0`. ## Primary options #### `` The root directory of the package. #### `--format=` Select output format, either `text` _(default)_ or `json`. #### `--mode=` Specifies how to resolve dependencies: `minimal-update` _(default)_: Update or create the codeql-pack.lock.yml based on the existing contents of the qlpack.yml file. If any existing codeql-pack.lock.yml does not satisfy the current dependencies in the qlpack.yml, the lock file will be updated as necessary. `upgrade`: Update or create the codeql-pack.lock.yml to use the latest versions of all dependencies, subject to the constraints in the qlpack.yml file. `verify`: Verify that the existing codeql-pack.lock.yml is still valid with respect to the dependencies specified in the qlpack.yml file, or fail the lock file if it does not exist. `no-lock`: Ignore the existing codeql-pack.lock.yml and perform resolution based on qlpack.yml file. Does not create or update the lock file. `use-lock`: Use the existing codeql-pack.lock.yml file to resolve dependencies, or create the lock file if it does not exist. `update`: \[Deprecated] Update or create the codeql-pack.lock.yml to use the latest versions of all dependencies, subject to the constraints in the qlpack.yml file. Equivalent to 'upgrade' #### `--[no-]allow-prerelease` Allow packs with pre-release version qualifiers (e.g., `X.Y.Z-qualifier`) to be used. Without this flag, pre-release packs will be ignored. Available since `v2.11.3`. #### `--no-strict-mode` \[Advanced] Turn off strict mode to avoid a warning when resolving packages from the `--additional-packs` and other locally resolved locations. Packages resolved locally are never downloaded and will not be added to the package lock. #### `--lock-override=` \[Advanced] Specifies an alternate lock file to use as the input to dependency resolution. ### Options for resolving QL packs outside of the package registry #### `--search-path=[:...]` A list of directories under which QL packs may be found. Each directory can either be a QL pack (or bundle of packs containing a `.codeqlmanifest.json` file at the root) or the immediate parent of one or more such directories. If the path contains more than one directory, their order defines precedence between them: when a pack name that must be resolved is matched in more than one of the directory trees, the one given first wins. Pointing this at a checkout of the open-source CodeQL repository ought to work when querying one of the languages that live there. If you have checked out the CodeQL repository as a sibling of the unpacked CodeQL toolchain, you don't need to give this option; such sibling directories will always be searched for QL packs that cannot be found otherwise. (If this default does not work, it is strongly recommended to set up `--search-path` once and for all in a per-user configuration file). (Note: On Windows the path separator is `;`). #### `--additional-packs=[:...]` If this list of directories is given, they will be searched for packs before the ones in `--search-path`. The order between these doesn't matter; it is an error if a pack name is found in two different places through this list. This is useful if you're temporarily developing a new version of a pack that also appears in the default path. On the other hand, it is *not recommended* to override this option in a config file; some internal actions will add this option on the fly, overriding any configured value. (Note: On Windows the path separator is `;`). ### Options for configuring the CodeQL package manager #### `--registries-auth-stdin` Authenticate to GitHub Enterprise Server Container registries by passing a comma-separated list of \=\ pairs. For example, you can pass `https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2` to authenticate to two GitHub Enterprise Server instances. This overrides the CODEQL\_REGISTRIES\_AUTH and GITHUB\_TOKEN environment variables. If you only need to authenticate to the github.com Container registry, you can instead authenticate using the simpler `--github-auth-stdin` option. #### `--github-auth-stdin` Authenticate to the github.com Container registry by passing a github.com GitHub Apps token or personal access token via standard input. To authenticate to GitHub Enterprise Server Container registries, pass `--registries-auth-stdin` or use the CODEQL\_REGISTRIES\_AUTH environment variable. This overrides the GITHUB\_TOKEN environment variable. ### Common options #### `-h, --help` Show this help text. #### `-J=` \[Advanced] Give option to the JVM running the command. (Beware that options containing spaces will not be handled correctly.) #### `-v, --verbose` Incrementally increase the number of progress messages printed. #### `-q, --quiet` Incrementally decrease the number of progress messages printed. #### `--verbosity=` \[Advanced] Explicitly set the verbosity level to one of errors, warnings, progress, progress+, progress++, progress+++. Overrides `-v` and `-q`. #### `--logdir=` \[Advanced] Write detailed logs to one or more files in the given directory, with generated names that include timestamps and the name of the running subcommand. (To write a log file with a name you have full control over, instead give `--log-to-stderr` and redirect stderr as desired.)