Dfetch — vendor dependencies without the pain

Dfetch copies source code directly into your project — no Git submodules, no SVN externals, no hidden external links. Fetch from Git, SVN, or plain archive URLs. Dependencies live as plain, readable files inside your own repository. You stay in full control of every line.

Dfetch is supply-chain ready out of the box: generate SBOMs, detect licenses, and export reports for Jenkins, SARIF, and Code Climate. Apply local patches and keep them syncable with upstream. See Vendoring for background on the problem this solves.

Tutorials

• Installation
  • From pip
  • Binary distributions
  • Validating Installation
  • Verifying release integrity
• Getting Started
  • Main concepts
  • My first manifest
  • My first update
  • My first version change
  • My first remote
  • My first patch

How-to Guides

• Migrate to Dfetch
  • From Git submodules
  • From SVN externals
• Add a project
  • Editing the manifest directly
  • Using dfetch add
  • Using dfetch add -i (interactive wizard)
• Update projects
  • Fetching all projects
  • Updating a single project
  • Overwriting local changes
  • Sub-manifests
  • Git submodules
• Remove a project
  • Removing a single project
  • Removing multiple projects
  • Manifest backup behavior
• Patch a project
  • Capturing local changes
  • Adding the patch to the manifest
  • Refreshing a patch
  • Contributing the patch upstream
• Check projects in CI
  • Running dfetch check in CI
  • Jenkins (warnings-ng)
  • GitHub Actions (SARIF)
  • GitLab CI (Code Climate)
• Generate an SBOM
  • License detection auditability
  • Viewing the SBOM in DependencyTrack
  • GitLab
  • GitHub Actions
• Troubleshoot
  • Step 1: Check your environment
  • Step 2: Use verbose mode
  • Step 3: Reporting issues
  • Security issues
• Contribute to Dfetch
  • Virtual Environment
  • Running in Github Codespaces
  • Running in VSCode
  • Quality
  • Testing
  • Creating documentation
  • Releasing

Reference

• Manifest
  • Remotes
  • Projects
  • Schema
• Commands
  • Init
  • Import
  • Add
  • Remove
  • Check
  • Update
  • Diff
  • Update patch
  • Format patch
  • Report
  • Freeze
  • Environment
  • Validate
• Glossary
• CLI Cheatsheet
• Changelog
• Legal
  • Third-party libraries

Explanation

• Vendoring
  • What People Mean by Vendoring
  • Transitive Dependencies
  • A Brief History
  • Vendoring Across Languages
  • Conclusion
  • Best Practices
  • Further Reading
• Alternatives
• Architecture
  • C1 - Context
  • C2 - Containers
  • C3 - Components
• Security Model
  • Product Security Context

Appendix

• Appendix: Feature Examples