[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CP] Fix pub get behavior on old lockfile #51166

Closed
sigurdm opened this issue Jan 30, 2023 · 4 comments
Closed

[CP] Fix pub get behavior on old lockfile #51166

sigurdm opened this issue Jan 30, 2023 · 4 comments
Assignees
@vsmenon @itsjustkevin @mit-mit @athomas
Labels
area-infrastructure Use area-infrastructure for SDK infrastructure issues, like continuous integration bot changes. cherry-pick-approved Label for approved cherrypick request merge-to-stable

Comments

@sigurdm
Copy link
Contributor
sigurdm commented Jan 30, 2023
edited by jonasfj
Loading

Commit(s) to merge

dart-lang/pub#3754

Target

2.19 stable

Prepared changelist for beta/stable

https://dart-review.googlesource.com/c/sdk/+/280093

Issue Description

dart pub get will upgrade packages instead of preserve locked constraints when pubspec.lock is created by pre-2.19.0 sdk.

This happens because we switched from using pub.dartlang.org to pub.dev as the default hosted url.
And although we normalize them to be the same, normalization was missing in one place, causing the version solver to consider the locked package-version incompatible with the constraint, and therefore unlocking them.

What is the fix

The fix is to normalize pub.dartlang.org to pub.dev everywhere we create the internal representation of a package constraint. Therefore retry from pub.dartlang.org is seen by the solver as related to retry from pub.dev, and the lock is preserved.

Why cherry-pick

This is a severe regression in the behavior of dart pub get.

It can be confusing and potentially dangerous if unintended version-upgrades of dependencies slip into production.

Further making this bug unfortunate is that 2.19.0 introduced a sha-256 field for each package in the lockfile. This can make the version upgrades harder to spot in a diff view.

Risk

medium

Issue link(s)

flutter/flutter#119091

Extra Info

(this has not been rolled to the sdk main yet).
@sigurdm sigurdm added the cherry-pick-review Issue that need cherry pick triage to approve label Jan 30, 2023
@sigurdm sigurdm changed the title [CP] <title> [CP] Fix pub get behavior on old lockfile Jan 30, 2023
@jonasfj
Copy link
Member
jonasfj commented Jan 30, 2023

LGTM

1 similar comment
@athomas
Copy link
Member
athomas commented Jan 30, 2023

LGTM

@vsmenon
Copy link
Member
vsmenon commented Jan 30, 2023

lgtm

@athomas athomas added cherry-pick-approved Label for approved cherrypick request merge-to-stable and removed cherry-pick-review Issue that need cherry pick triage to approve labels Jan 30, 2023
@devoncarew devoncarew added the area-infrastructure Use area-infrastructure for SDK infrastructure issues, like continuous integration bot changes. label Feb 1, 2023
@sortie
Copy link
Contributor
sortie commented Feb 2, 2023

Released in 2.19.1.

@sortie sortie closed this as completed Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vsmenon vsmenon

@itsjustkevin itsjustkevin

@mit-mit mit-mit

@athomas athomas

Labels
area-infrastructure Use area-infrastructure for SDK infrastructure issues, like continuous integration bot changes. cherry-pick-approved Label for approved cherrypick request merge-to-stable
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@jonasfj @devoncarew @vsmenon @sortie @sigurdm @itsjustkevin @mit-mit @athomas