Giters

dart-lang / pub

The pub command line tool

Home Page:https://dart.dev/tools/pub/cmd

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

pubspec.lock updated unexpectedly when running pub get command

iain-neirfeno opened this issue · comments

commented

Environment

  • Dart version (run dart --version): Dart SDK version: 3.2.5 (stable) (Tue Jan 16 15:02:13 2024 +0000) on "macos_arm64"
  • OS kind and version (e.g. "Windows 10, version 1809" or "macOS 12.4"): mackOS 13.1
  • Are you using the Chinese community mirror or a corporate firewall? NO

Problem

In the documentation here: https://dart.dev/tools/pub/versioning#lockfiles we have:

The next important thing pub does is it stops touching the lockfile. Once you’ve got a lockfile for your app, pub won’t touch it until you tell it to. This is important. It means you won’t spontaneously start using new versions of random packages in your app without intending to. Once your app is locked, it stays locked until you manually tell it to update the lockfile.

This is not true though, as running dart pub get will update any dependency that specifies a range (such as with the caret syntax). This means that the builds are not reproducible as during the build process (after checking the code out of source control) when we run dart pub get, we will potentially have different versions of packages to previous times.

As an example, I have my pubspec.yaml:

dependencies:
  collection: ^1.17.2

my pubspec.lock:

packages:
  collection:
    dependency: "direct main"
    description:
      name: collection
      sha256: f092b211a4319e98e5ff58223576de6c2803db36221657b46c82574721240687
      url: "https://pub.dev"
    source: hosted
    version: "1.17.2"

I then run dart pub get, and my pubspec.lock is updated to:

packages:
  collection:
    dependency: "direct main"
    description:
      name: collection
      sha256: ee67cb0715911d28db6bf4af1026078bd6f0128b07a5f66fb2ed94ec6783c09a
      url: "https://pub.dev"
    source: hosted
    version: "1.18.0"

Expected behavior

I would expect that there is a way to get the locked versions consistently (dart pub get), verses get the latest compatible version (dart pub upgrade)

Actual behavior

dart pub get updates lock file, while it does not update as much as dart pub upgrade, there needs to be a way to get exactly what is in the lock file for reproducible builds.

commented

I cannot reproduce.

I use

Dart SDK version: 3.2.5 (stable) (Tue Jan 16 15:02:13 2024 +0000) on "linux_x64"

I make a pubspec.yaml and a pubspec.lock as you describe and run:

> dart pub get
Resolving dependencies... 
  collection 1.17.2 (1.18.0 available)
Got dependencies!
1 package has newer versions incompatible with dependency constraints.
Try `dart pub outdated` for more information.

There are cases where dart pub get will modify the pubspec.lock (to add new packages that was added to pubspec.yaml or if the current version does not match the constraint). But it should not do in this case. That would be quite a serious bug.

We have the flag dart pub get --enforce-lockfile for doing pub get in a production environment where you want to ensure that the lockfile doesn't change.

Questions:

  • Can you reproduce this reliably?
  • Can you make a git repository with a reproduction we can test on?
  • Can you attach the log file from running dart pub get -v ?
commented

Without additional information we're not able to resolve this issue. Feel free to add more info or respond to any questions above and we can reopen the case. Thanks for your contribution!