I have a package on my system that depends on a outdated version of Electron. If I add it to permittedInsecurePackages, I can build my system, and then figure out which package is pulling it in, but I would prefer to be able to diagnose without building and deploying. Is there a way to investigate why a package is needed without building the system?
Especially if it might work when the current system config WON’T build.
--show-trace tells you this info
Have a look at GitHub - utdemir/nix-tree: Interactively browse dependency graphs of Nix derivations.
nix-tree is something I recommend regularly for other usecases, but it won’t work if the config doesn’t evaluate.
For build-time dependencies such as electron in your case, nix why-depends --derivation flag might help?
That still requires evaluation to complete. Like nix-tree, that wouldn’t work here unless they have already allowed the insecure package.
Ah correct! I was skimming the actual description too quickly and the title had me believe that it was about building, but re-reading the description it seems to actually be about evaluation as you say.