Todo-list¶

Todo

Implement a best matching strategy, across package managers of different kinds.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/dump.md, line 87.)

Todo

Add an --installed boolean flag to search to reduce the searched packages to those already installed. (installed itself now accepts a QUERY argument to filter its own listing.)

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/duplicates.md, line 75.)

Todo

Today every extractor is local-only (shell-outs to the manager’s CLI, plus on-disk reads). When extractors start reaching for network resources (PyPI’s JSON API, npm’s registry, crates.io, GitHub’s security advisories) the --bundled flag will no longer be a fine-grained enough knob: some users will want enrichment but not network traffic (offline scans, CI without egress). The natural split is a future --network/--no-network flag layered under --bundled to gate the network-touching code paths specifically, leaving local enrichment always-on for --bundled.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/manager.py:docstring of meta_package_manager.manager.PackageManager.package_metadata_batch, line 28.)

Todo

Candidate ecosystems for project-scope discovery. Listed with the project files that signal each, grouped by whether mpm already ships a system-scoped manager that could grow a project mode.

Already covered by a manager (npm, yarn, pnpm, pip, uv, cargo, gem, composer, cpan):

JavaScript: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python: requirements.txt, pyproject.toml, poetry.lock, uv.lock
Rust: Cargo.toml, Cargo.lock
Ruby: Gemfile, Gemfile.lock
PHP: composer.json, composer.lock
Perl: cpanfile

No manager yet:

Java: pom.xml (Maven), build.gradle (Gradle), ivy.xml
Go: go.mod, go.sum
.NET: *.csproj, packages.config (NuGet)
Swift: Package.swift, Package.resolved
CocoaPods: Podfile, Podfile.lock
C/C++: conanfile.txt (Conan), vcpkg.json (vcpkg)
Conda: conda-lock.yml

Todo

Reuse the mapping that is proposed upstream to the package-url Python project.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/specifier.py:docstring of meta_package_manager.specifier.PURL_MAP, line 16.)

Todo

Use the removed variable to detect removed packages (which are reported with a (!) flag). See: https://github.com/caskroom/homebrew-cask/blob/master/doc /reporting_bugs/uninstall_wrongly_reports_cask_as_not_installed.md and https://github.com/kdeldycke/meta-package-manager/issues/17 .

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/homebrew.py:docstring of meta_package_manager.managers.homebrew.Homebrew.installed, line 31.)

Todo

Evaluate pythonfinder to replace our custom search logic.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/pip.py:docstring of meta_package_manager.managers.pip.Pip.search_all_cli, line 3.)

Todo

Mimics Pip.outdated() operation. There probably is a way to factorize it.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/pipx.py:docstring of meta_package_manager.managers.pipx.Pipx.outdated, line 3.)

Todo

Automatically uninstall the package if the technology is different:

PS C:\Users\kev> winget upgrade --id Microsoft.Edge
A newer version was found, but the install technology is different from the current version installed. Please uninstall the package and install the newer version.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/winget.py:docstring of meta_package_manager.managers.winget.WinGet.upgrade_one_cli, line 16.)

Todo

Contribute generic autodetection method to Click Extra?

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/sbom/base.py:docstring of meta_package_manager.sbom.base.SBOM.autodetect_export_format, line 4.)

Todo

Contribute generic autodetection method to Click Extra?

Todo

Contribute generic autodetection method to Click Extra?

Todo

mpm doesn’t identify CVEs yet.

This feature might be solved with SBOM implementation, as I think there is some tools available around that can check an SBOM export and cross reference it with a CVE database.

Take a look at: https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 124.)

Todo

mpm doesn’t collect dependencies yet. Once it does these dependencies can augment the SBOM export.

The system managers mpm drives mostly expose flat installed lists, not dependency edges. Microsoft’s component-detection is a useful reference here: it produces a graph-based dependency output across ~30 ecosystems, the shape mpm would need to enrich its SBOM relationships and to back a future per-package dependency view.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 134.)

Todo

One future development direction might be to add a way to inventory all components your using on your system and track down their preferred funding platform like GitHub Sponsors, Liberapay or Patreon. Then have a way to fund all those.

Homebrew is already featuring some commands in that direction.

The LibreSelery project (archived since 2023) implemented a version of this: continuous distribution of funding to a project’s contributors and dependencies, wired into GitHub Actions.

And also see this article in which someone algorithmically donated $5000+ to Open Source via GitHub Sponsors and PyPI data.

This is being discussed at #501.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 151.)