search

SFDO-Tooling / CumulusCI

Python framework for building portable automation for Salesforce projects
http://cumulusci.readthedocs.io
BSD 3-Clause "New" or "Revised" License
357 stars 242 forks source link

Prevent Downgrade of dependencies #3641

Open yippie opened 1 year ago

yippie commented 1 year ago

Describe the bug

This is half a Salesforce bug because I can't believe it is allowed at all.

It seems that both Salesforce and CumulusCI both will happily allow a minor version downgrade of unlocked packages.

Reproduction steps

  1. Have an Unlocked package with at least 2 minor releases under the same major release (4.4 and 4.3 in my case)
  2. Have a Cumulus CI project with at least 2 dependencies, one of which is the above DGPackage
  3. The other dependency should also depend on DGPackage and specify a tag of 4.3
  4. Run update_dependencies

Expected: version 4.4 will be the final installed version of DGPackage

Actual: Both 4.4 and 4.3 will be installed even though this is effectively installing the same package twice. Depending on the order dependencies are listed, 4.4 may be installed first and then 4.3 which will successfully downgrade the org to 4.3. This is a big problem if the ParentPKG was built using DGPackage 4.4 as it will fail to install with a dependency error even though update_dependencies was run.

Your CumulusCI and Python versions

CumulusCI version: 3.77.0 (/Users/kai.amundsen/.local/bin/cci) Python version: 3.10.9 (/Users/kai.amundsen/.local/pipx/venvs/cumulusci/bin/python)

Operating System

macOS 13.4.1

Windows environment

No response

CumulusCI installation method

None

Error Gist

No response

Additional information

No response

yippie commented 11 months ago

Fixed By https://github.com/SFDO-Tooling/CumulusCI/pull/3671