[CP] Fix pub get
behavior on old lockfile
#51166
Labels
area-infrastructure
Use area-infrastructure for SDK infrastructure issues, like continuous integration bot changes.
cherry-pick-approved
Label for approved cherrypick request
merge-to-stable
Commit(s) to merge
dart-lang/pub#3754
Target
2.19 stable
Prepared changelist for beta/stable
https://dart-review.googlesource.com/c/sdk/+/280093
Issue Description
dart pub get
will upgrade packages instead of preserve locked constraints whenpubspec.lock
is created by pre-2.19.0 sdk.This happens because we switched from using
pub.dartlang.org
topub.dev
as the default hosted url.And although we normalize them to be the same, normalization was missing in one place, causing the version solver to consider the locked package-version incompatible with the constraint, and therefore unlocking them.
What is the fix
The fix is to normalize
pub.dartlang.org
topub.dev
everywhere we create the internal representation of a package constraint. Thereforeretry
frompub.dartlang.org
is seen by the solver as related toretry
frompub.dev
, and the lock is preserved.Why cherry-pick
This is a severe regression in the behavior of
dart pub get
.It can be confusing and potentially dangerous if unintended version-upgrades of dependencies slip into production.
Further making this bug unfortunate is that 2.19.0 introduced a sha-256 field for each package in the lockfile. This can make the version upgrades harder to spot in a diff view.
Risk
medium
Issue link(s)
flutter/flutter#119091
Extra Info
(this has not been rolled to the sdk main yet).
The text was updated successfully, but these errors were encountered: