pubspec.lock updated unexpectedly when running pub get command
iain-neirfeno opened this issue · comments
Environment
- Dart version (run
dart --version
): Dart SDK version: 3.2.5 (stable) (Tue Jan 16 15:02:13 2024 +0000) on "macos_arm64" - OS kind and version (e.g. "Windows 10, version 1809" or "macOS 12.4"): mackOS 13.1
- Are you using the Chinese community mirror or a corporate firewall? NO
Problem
In the documentation here: https://dart.dev/tools/pub/versioning#lockfiles we have:
The next important thing pub does is it stops touching the lockfile. Once you’ve got a lockfile for your app, pub won’t touch it until you tell it to. This is important. It means you won’t spontaneously start using new versions of random packages in your app without intending to. Once your app is locked, it stays locked until you manually tell it to update the lockfile.
This is not true though, as running dart pub get
will update any dependency that specifies a range (such as with the caret syntax). This means that the builds are not reproducible as during the build process (after checking the code out of source control) when we run dart pub get
, we will potentially have different versions of packages to previous times.
As an example, I have my pubspec.yaml:
dependencies:
collection: ^1.17.2
my pubspec.lock:
packages:
collection:
dependency: "direct main"
description:
name: collection
sha256: f092b211a4319e98e5ff58223576de6c2803db36221657b46c82574721240687
url: "https://pub.dev"
source: hosted
version: "1.17.2"
I then run dart pub get
, and my pubspec.lock is updated to:
packages:
collection:
dependency: "direct main"
description:
name: collection
sha256: ee67cb0715911d28db6bf4af1026078bd6f0128b07a5f66fb2ed94ec6783c09a
url: "https://pub.dev"
source: hosted
version: "1.18.0"
Expected behavior
I would expect that there is a way to get the locked versions consistently (dart pub get
), verses get the latest compatible version (dart pub upgrade
)
Actual behavior
dart pub get
updates lock file, while it does not update as much as dart pub upgrade
, there needs to be a way to get exactly what is in the lock file for reproducible builds.
I cannot reproduce.
I use
Dart SDK version: 3.2.5 (stable) (Tue Jan 16 15:02:13 2024 +0000) on "linux_x64"
I make a pubspec.yaml and a pubspec.lock as you describe and run:
> dart pub get
Resolving dependencies...
collection 1.17.2 (1.18.0 available)
Got dependencies!
1 package has newer versions incompatible with dependency constraints.
Try `dart pub outdated` for more information.
There are cases where dart pub get
will modify the pubspec.lock (to add new packages that was added to pubspec.yaml or if the current version does not match the constraint). But it should not do in this case. That would be quite a serious bug.
We have the flag dart pub get --enforce-lockfile
for doing pub get in a production environment where you want to ensure that the lockfile doesn't change.
Questions:
- Can you reproduce this reliably?
- Can you make a git repository with a reproduction we can test on?
- Can you attach the log file from running
dart pub get -v
?
Without additional information we're not able to resolve this issue. Feel free to add more info or respond to any questions above and we can reopen the case. Thanks for your contribution!