fix(deps): skip sub-dependency ARGs, normalize pinning, and document known discrepancies

**Fixes for extraction accuracy:**
- Skip ARGs for sub-dependencies (e.g., NIXL_UCX_REF is for UCX, not NIXL)
  - Fixes false positive showing NIXL v1.19.0 (was actually UCX)
- Exclude PyTorch Triton from PyTorch normalization
  - PyTorch Triton (Triton compiler) is a separate package, not PyTorch
  - Was causing false positive showing 3 PyTorch versions instead of 2

**Version comparison improvements:**
- Add version normalization to ignore pinning style differences
  - '0.6.0' vs '<=0.6.0' are now treated as the same
  - '==32.0.1' vs '>=32.0.1,<33.0.0' are now treated as the same
- Only flag discrepancies when actual version numbers differ

**Documentation:**
- Add known_version_discrepancies section to config
- Document intentional PyTorch version difference:
  - TensorRT-LLM: 2.8.0 (from NVIDIA container)
  - vLLM: 2.7.1+cu128 (ARM64 wheel compatibility)

**Results:**
- Reduced from 6 to 4 real discrepancies
- Eliminated false positives from:
  - Sub-dependency ARGs (UCX)
  - Pinning style differences (NIXL, Kubernetes)
  - Package misidentification (PyTorch Triton)

Signed-off-by: Dan Gil <[email protected]>

Author: dagil-nvidia

.github/workflows/extract_dependency_versions.py

@@ -774,6 +774,15 @@ def extract_dockerfile_args(self, dockerfile_path: Path, component: str) -> None
                         # Extract version-related ARGs
                         version_keywords = ["VERSION", "REF", "TAG", "_VER"]
                         if any(kw in key for kw in version_keywords):
+                            # Skip sub-dependency ARGs that are clearly for related projects
+                            # e.g., NIXL_UCX_REF is for UCX (a dependency of NIXL), not NIXL itself
+                            skip_subdeps = [
+                                "_UCX_",  # UCX is a separate dependency
+                                "_NCCL_",  # NCCL is a separate dependency
+                            ]
+                            if any(subdep in key for subdep in skip_subdeps):
+                                continue
+                            
                             category = (
                                 "System"
                                 if key.startswith(
@@ -1849,6 +1858,12 @@ def normalize_dependency_name(self, name: str, category: str = "") -> str:
         # Convert to lowercase for comparison
         name_lower = name.lower()
 
+        # Special handling for PyTorch-related packages that should NOT be normalized to pytorch
+        # e.g., "pytorch triton" is the Triton compiler, not PyTorch itself
+        pytorch_exceptions = ["pytorch triton", "pytorch_triton", "triton"]
+        if any(exc in name_lower for exc in pytorch_exceptions):
+            return name_lower  # Don't normalize these
+        
         # Common normalization rules (ordered by specificity to avoid false matches)
         normalizations = {
             "tensorrt-llm": "tensorrt-llm",
@@ -1872,6 +1887,35 @@ def normalize_dependency_name(self, name: str, category: str = "") -> str:
         # This avoids false positives from overly broad matching
         return name_lower.strip()
 
+    def _normalize_version_for_comparison(self, version: str) -> str:
+        """
+        Normalize version string for comparison by removing pinning operators.
+        
+        This allows us to detect true version differences while ignoring
+        differences in how versions are pinned.
+        
+        Examples:
+            - "==0.115.12" -> "0.115.12"
+            - ">=0.115.0" -> "0.115.0"
+            - ">=32.0.1,<33.0.0" -> "32.0.1"
+            - "<=0.6.0" -> "0.6.0"
+            - "2.7.1+cu128" -> "2.7.1+cu128" (unchanged)
+        """
+        import re
+        
+        # Remove common Python version operators
+        # This regex captures: ==, >=, <=, ~=, !=, <, >, and extracts the version
+        version = version.strip()
+        
+        # Handle compound version specs like ">=32.0.1,<33.0.0" - take the first version
+        if "," in version:
+            version = version.split(",")[0].strip()
+        
+        # Remove operators
+        version = re.sub(r"^(==|>=|<=|~=|!=|<|>)\s*", "", version)
+        
+        return version.strip()
+
     def detect_version_discrepancies(self) -> List[Dict[str, any]]:
         """
         Detect dependencies that appear multiple times with different versions.
@@ -1884,6 +1928,7 @@ def detect_version_discrepancies(self) -> List[Dict[str, any]]:
         Note: This intentionally filters out some categories to reduce false positives:
         - Base/Runtime Images (intentionally different per component)
         - Go indirect dependencies (transitive, expected to vary)
+        - Pinning style differences (e.g., "0.6.0" vs "<=0.6.0" are considered the same)
         """
         # Categories to skip (expected to vary by component)
         skip_categories = {
@@ -1939,18 +1984,26 @@ def detect_version_discrepancies(self) -> List[Dict[str, any]]:
             )
 
         # Detect discrepancies: same normalized name with different versions
+        # Use normalized versions to ignore pinning style differences
         discrepancies = []
 
         for normalized_name, instances in dependency_groups.items():
-            # Get unique versions
-            versions = set(inst["version"] for inst in instances)
+            # Get unique normalized versions (ignoring pinning operators)
+            normalized_versions = set(
+                self._normalize_version_for_comparison(inst["version"])
+                for inst in instances
+            )
 
-            # If multiple versions exist, it's a discrepancy
-            if len(versions) > 1:
+            # If multiple normalized versions exist, it's a real discrepancy
+            if len(normalized_versions) > 1:
+                # Get the original versions for display
+                original_versions = sorted(set(inst["version"] for inst in instances))
+                
                 discrepancies.append(
                     {
                         "normalized_name": normalized_name,
-                        "versions": sorted(versions),
+                        "versions": original_versions,
+                        "normalized_versions": sorted(normalized_versions),
                         "instances": instances,
                         "is_critical": any(inst["critical"] for inst in instances),
                     }

.github/workflows/extract_dependency_versions_config.yaml

@@ -10,6 +10,14 @@ baseline:
   # The script automatically uses the previous extraction's count as the baseline
   dependency_count: 251
 
+known_version_discrepancies:
+  # Document intentional version discrepancies to reduce noise
+  # These will still be reported but marked as "known" with the provided reason
+  - dependency: "PyTorch"
+    reason: "TensorRT-LLM uses NVIDIA container (2.8.0), vLLM uses 2.7.1+cu128 (ARM64 wheel compatibility)"
+  - dependency: "torchvision"
+    reason: "Matches corresponding PyTorch versions across components"
+
 critical_dependencies:
   # List of critical dependencies (case-insensitive matching)
   # Supports exact names or partial matches (e.g., "CUDA" matches "NVIDIA CUDA")