When `manifest = ...` is set, `] update` in a sub-project will remove necessary dependencies in `Manifest.toml`

[tpgillam]

When multiple sub-projects share a Manifest.toml via e.g. manifest = ../Manifest.toml, calling Pkg.update() within any sub-project is potentially destructive.

For context on the set-up, see e.g. #3590 , and @nickrobinson251's comment here: https://github.com/JuliaLang/Pkg.jl/pull/3263#issuecomment-1890426685

Suppose we have the structure:

A/
  src/
  Project.toml
B/
  src/
  Project.toml
  ...
Manifest.toml
Project.toml

where both A/Project.toml and B/Project.toml contain the entry manifest = ../Manifest.toml. Suppose A and B have some third-party dependencies, but do NOT depend on each other. The top-level environment has both A and B as local "develop" dependencies.

Calling Pkg.update() in the top level environment is entirely safe, and behaves as expected. It respects the requirements of both A and B simultaneously.

Calling Pkg.update() within A results in the following changes to the top level Manifest.toml:

• A's dependencies are updated, as expected
• B itself, and any dependencies (that are not also dependencies of A) are removed
• The project_hash changes (presumably to that computed from A/Project.toml)

I've observed this behaviour in Julia 1.9.4 and 1.10.0.

Ideally we would want an update in a sub-packge to be safe. Currently, Julia even encourages one to perform the destructive action above, because when activating the environment in A/ and running ] test, you see:

(A) pkg> test
┌ Warning: The project dependencies or compat requirements have changed since the manifest was last resolved.
│ It is recommended to `Pkg.resolve()` or consider `Pkg.update()` if necessary.

(presumably because project_hash corresponds to the top-level Project.toml rather than A/Projet.toml )