{"id":45792272,"url":"https://github.com/dfetch-org/dfetch","last_synced_at":"2026-02-26T12:09:17.831Z","repository":{"id":37074374,"uuid":"304039215","full_name":"dfetch-org/dfetch","owner":"dfetch-org","description":"Dependency fetcher","archived":false,"fork":false,"pushed_at":"2026-02-22T22:02:25.000Z","size":10496,"stargazers_count":12,"open_issues_count":24,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-23T02:21:09.379Z","etag":null,"topics":["dependencies","dependency-manager","git","svn","vendoring"],"latest_commit_sha":null,"homepage":"https://dfetch.rtfd.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dfetch-org.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.rst","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-10-14T14:22:45.000Z","updated_at":"2026-02-21T22:12:10.000Z","dependencies_parsed_at":"2026-01-29T00:01:59.594Z","dependency_job_id":null,"html_url":"https://github.com/dfetch-org/dfetch","commit_stats":{"total_commits":1040,"total_committers":11,"mean_commits":94.54545454545455,"dds":0.6163461538461539,"last_synced_commit":"a54accdda3f551decbed4e8e55ec251b7dd6998d"},"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/dfetch-org/dfetch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfetch-org%2Fdfetch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfetch-org%2Fdfetch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfetch-org%2Fdfetch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfetch-org%2Fdfetch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dfetch-org","download_url":"https://codeload.github.com/dfetch-org/dfetch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfetch-org%2Fdfetch/sbom","scorecard":{"id":338976,"data":{"date":"2025-08-11","repo":{"name":"github.com/dfetch-org/dfetch","commit":"a0c8f87768b79712621301293a4df5efad176f82"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.5,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/1 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/devcontainer.yml:1","Warn: no topLevel permission defined: .github/workflows/docs.yml:1","Warn: no topLevel permission defined: .github/workflows/landing-page.yml:1","Warn: no topLevel permission defined: .github/workflows/python-publish.yml:1","Warn: no topLevel permission defined: .github/workflows/run.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/devcontainer.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/devcontainer.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/devcontainer.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/devcontainer.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/devcontainer.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/devcontainer.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/devcontainer.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/devcontainer.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/landing-page.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/landing-page.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/landing-page.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/landing-page.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/landing-page.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/landing-page.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/python-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/python-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/run.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/run.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/run.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/run.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/run.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/dfetch-org/dfetch/test.yml/main?enable=pin","Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:1: pin your Docker image by updating mcr.microsoft.com/devcontainers/python:1-3.12-bullseye to mcr.microsoft.com/devcontainers/python:1-3.12-bullseye@sha256:cf244ba2b96e9515d1f9efb6641419e9cfec8a9de5fa15bf1e6c76a7928f5383","Warn: pipCommand not pinned by hash: .devcontainer/Dockerfile:23-25","Warn: pipCommand not pinned by hash: .devcontainer/Dockerfile:23-25","Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:18","Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:18","Warn: pipCommand not pinned by hash: .github/workflows/landing-page.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/landing-page.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/python-publish.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/python-publish.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/python-publish.yml:31","Warn: chocoCommand not pinned by hash: .github/workflows/run.yml:78","Warn: pipCommand not pinned by hash: .github/workflows/run.yml:83","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:30","Info:   0 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of  11 pipCommand dependencies pinned","Info:   0 out of   1 chocoCommand dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T05:21:10.991Z","repository_id":37074374,"created_at":"2025-08-18T05:21:10.992Z","updated_at":"2025-08-18T05:21:10.992Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29858481,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T08:51:08.701Z","status":"ssl_error","status_checked_at":"2026-02-26T08:50:19.607Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependencies","dependency-manager","git","svn","vendoring"],"created_at":"2026-02-26T12:09:17.314Z","updated_at":"2026-02-26T12:09:17.822Z","avatar_url":"https://github.com/dfetch-org.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](doc/images/dfetch_header.png)\n[![](https://codescene.io/projects/10989/status-badges/code-health)](https://codescene.io/projects/10989)\n[![](https://codescene.io/projects/10989/status-badges/system-mastery)](https://codescene.io/projects/10989)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/431474d43db0420a92ebc10c1886df8d)](https://app.codacy.com/gh/dfetch-org/dfetch?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=dfetch-org/dfetch\u0026utm_campaign=Badge_Grade)\n[![Codacy Badge](https://app.codacy.com/project/badge/Coverage/503c21c8e46b4baca0b4519bcc9fd51e)](https://www.codacy.com/gh/dfetch-org/dfetch/dashboard?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=dfetch-org/dfetch\u0026utm_campaign=Badge_Coverage)\n[![Documentation Status](https://readthedocs.org/projects/dfetch/badge/?version=latest)](https://dfetch.readthedocs.io/en/latest/?badge=latest)\n[![Build](https://github.com/dfetch-org/dfetch/workflows/Test/badge.svg)](https://github.com/dfetch-org/dfetch/actions)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![GitHub](https://img.shields.io/github/license/dfetch-org/dfetch)](https://github.com/dfetch-org/dfetch/blob/main/LICENSE)\n[![Gitter](https://badges.gitter.im/dfetch-org/community.svg)](https://gitter.im/dfetch-org/community?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge)\n[![Libraries.io dependency status for GitHub repo](https://img.shields.io/librariesio/github/dfetch-org/dfetch)](https://libraries.io/github/dfetch-org/dfetch)\n![Maintenance](https://img.shields.io/maintenance/yes/2026)\n[![GitHub issues](https://img.shields.io/github/issues/dfetch-org/dfetch)](https://github.com/dfetch-org/dfetch/issues)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/dfetch)\n[![PyPI](https://img.shields.io/pypi/v/dfetch)](https://pypi.org/project/dfetch/)\n[![Contribute with Codespaces](https://img.shields.io/static/v1?label=Codespaces\u0026message=Open\u0026color=blue)](https://codespaces.new/dfetch-org/dfetch)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11245/badge)](https://www.bestpractices.dev/projects/11245)\n\n\n**DFetch can manage dependencies**\n\nWe make products that can last 15+ years; because of this we want to be able to have all sources available\nto build the entire project from source without depending on external resources.\nFor this, we needed a dependency manager that was flexible enough to retrieve dependencies as plain text\nfrom various sources. `svn externals`, `git submodules` and `git subtrees` solve a similar\nproblem, but not in a VCS-agnostic way or completely user-friendly way.\nWe want self-contained code repositories without any hassle for end-users.\nDfetch must promote upstreaming changes, but allow for local customizations.\nThe problem is described thoroughly in [managing external dependencies](https://embeddedartistry.com/blog/2020/06/22/qa-on-managing-external-dependencies/) and sometimes\nis also known as [*vendoring*](https://dfetch.readthedocs.io/en/latest/vendoring.html).\n\nOther tools that do similar things are ``Zephyr's West``, ``CMake ExternalProject`` and other meta tools.\nSee [alternatives](https://dfetch.readthedocs.io/en/latest/alternatives.html) for a complete list.\n\n[**Getting started**](https://dfetch.readthedocs.io/en/latest/getting_started.html) |\n[**Manual**](https://dfetch.readthedocs.io/en/latest/manual.html) |\n[**Troubleshooting**](https://dfetch.readthedocs.io/en/latest/troubleshooting.html)  |\n[**Contributing**](https://dfetch.readthedocs.io/en/latest/contributing.html)\n\n## Problems DFetch Solves\n\n* Declarative code reuse across projects ([inner sourcing](https://about.gitlab.com/topics/version-control/what-is-innersource/))\n* Compose multi-repo code bases into a single working tree\n* Vendoring dependencies for reproducible builds\n* Apply local patches while keeping upstream syncable\n* VCS-agnostic dependency management\n* Self-contained exports for releases or audits\n\n## Install\n\n### Stable\n\n```bash\npip install dfetch\n```\n\n### latest version\n\n```bash\npip install git+https://github.com/dfetch-org/dfetch.git#egg=dfetch\n```\n\n### Binary distributions\n\nEach release on the [releases page](https://github.com/dfetch-org/dfetch/releases) provides installers for all major platforms.\n\n- Linux `.deb` \u0026 `.rpm`\n- macOS `.pkg`\n- Windows `.msi`\n\n## Github Action\n\nYou can use DFetch in your Github Actions workflow to check your dependencies.\nThe results will be uploaded to Github. Add the following to your workflow file:\n\n```yaml\njobs:\n  dfetch-check:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      security-events: write\n    steps:\n      - name: Run Dfetch Check\n        uses: dfetch-org/dfetch@main\n        with:\n          working-directory: '.' # optional, defaults to project root\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfetch-org%2Fdfetch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdfetch-org%2Fdfetch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfetch-org%2Fdfetch/lists"}