Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dart pub get --pristine/--locked #2890

Closed
jonasfj opened this issue Feb 23, 2021 · 6 comments · Fixed by #3482 or #3637
Closed

dart pub get --pristine/--locked #2890

jonasfj opened this issue Feb 23, 2021 · 6 comments · Fixed by #3482 or #3637
Labels
type-enhancement A request for a change that isn't a bug

Comments

@jonasfj
Copy link
Member

jonasfj commented Feb 23, 2021

It would be nice to have a mode where dart pub get fails if pubspec.lock is missing or changes to pubspec.lock is required to satisfy pubspec.yaml.

Could be called dart pub get --locked or dart pub get --pristine.

Motivation: When doing a production build (or deployment) you explicitly want to avoid any deviation from pubspec.lock as this could result in shipping dependencies you have not tested.
@jonasfj jonasfj added the type-enhancement A request for a change that isn't a bug label Feb 23, 2021
@jonasfj jonasfj mentioned this issue Mar 9, 2021
Open
@adarsh-technocrat
Copy link

Hello, @jonasfj 👋 I want to go ahead and work on this issue would you please give me the initial steps to get started with :)

@jonasfj
Copy link
Member Author

jonasfj commented Mar 10, 2021
edited
Loading

@adarsh-technocrat, I would suggest figuring out how to run tests locally, and then experiment, it probably just means:

  • Adding an option to dart pub get
  • Passing a new pristine argument to acquireDependencies
  • Figuring out all the adverse effects this could have, elsewhere in the code, if any :D
  • Writing a lot of tests to show that --pristine works, both positive and negative tests.

@adarsh-technocrat
Copy link

@adarsh-technocrat, I would suggest figuring out how to run tests locally, and then experiment, it probably just means:

  • Adding an option to dart pub get
  • Passing a new pristine argument to acquireDependencies
  • Figuring out all the adverse effects this could have, elsewhere in the code, if any :D
  • Writing a lot of tests to show that --pristine works, both positive and negative tests.

Thanks, @jonasfj for guiding I'll look into it..:p

@yjbanov
Copy link

yjbanov commented Mar 10, 2021

I don't think adding an extra option to pub get will work in practice. People type pub get (and flutter packages get) by hand on the command-line, and they won't use this option. I think a better approach is to add this option to pubspec.yaml and have pub get pick it up from there. Then we don't have to rely on humans remembering to use this option.

@jonasfj
Copy link
Member Author

jonasfj commented Mar 11, 2021

I don't think adding an extra option to pub get will work in practice. People type pub get (and flutter packages get) by hand on the command-line, and they won't use this option.

Just to be clear:

  • pub get only modifies pubspec.lock if there is not other way to satisfy pubspec.yaml.
  • The alternative to modifying pubspec.lock is failing.

@yjbanov When would people prefer to to fail, rather than just get their dependencies?

I envision that failing rather than modifying pubspec.lock is very attractive when deploying an application.
Because if your pubspec.yaml isn't satisfied by pubspec.lock then it's very likely that you didn't run test / QA with the same dependencies that you're deploying with.

But when doing local development, if I'm adding a dependency to pubspec.yaml then I just want dart pub get to update pubspec.lock as necessary. If I regret it, I can easily recover from git.

This was referenced Jul 5, 2022
Merged
Closed
sigurdm added a commit that referenced this issue Oct 18, 2022
@sigurdm
Content hashing of archives (#3482)
4c9ebd0 
Compute a hash of each downloaded archive and store it in: $PUB_CACHE/hosted/<hosted-url>/.hashes/<package>-<version>.sha256 (details here still subject to change)

New optional field in the package listing api for the server to provide the content-hash. If that is provided - it is verified against the downloaded archive.

When writing a pubspec.lock file, the sha256 is included in the description of each hosted package.

On pub get If the description of a package from pubspec.lock doesn't match the one in the cache, the archive is redownloaded - if the hash still doesn't match, the resolution fails with an error.

Has been moved to a follow-up PR Introduce a new option dart pub get --enforce-lockfile A mode that will NOT modify pubspec.lock. That means:

won't add hashes if missing,
will refuse to resolve if pubspec.yaml isn't satisfied,
will refuse to resolve if hashes don't match cached hashes.
will refuse to resolve if pubspec.lock is missing
will verify that the extracted package content matches the contents of the original archive.
This is useful when deploying to production.
Fixes: dart pub get --pristine/--locked #2890 and locked option in pubspec.yaml #2905

An unfortunate side-effect of this change is that all already downloaded packages will be re-downloaded (because we don't store the archives, only the extracted files) to compute their hashes.
@sigurdm sigurdm reopened this Nov 4, 2022
@sigurdm
Copy link
Contributor

sigurdm commented Nov 4, 2022

This was not completed in #3482, but separated to a later PR.

@sigurdm sigurdm mentioned this issue Nov 7, 2022
Merged
@parlough parlough mentioned this issue Nov 15, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-enhancement A request for a change that isn't a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Content hashing of archives sigurdm/pub
dart pub get --enforce-lockfile sigurdm/pub
4 participants
@jonasfj @yjbanov @sigurdm @adarsh-technocrat