This is half a Salesforce bug because I can't believe it is allowed at all.
It seems that both Salesforce and CumulusCI both will happily allow a minor version downgrade of unlocked packages.
Reproduction steps
Have an Unlocked package with at least 2 minor releases under the same major release (4.4 and 4.3 in my case)
Have a Cumulus CI project with at least 2 dependencies, one of which is the above DGPackage
The other dependency should also depend on DGPackage and specify a tag of 4.3
Run update_dependencies
Expected: version 4.4 will be the final installed version of DGPackage
Actual: Both 4.4 and 4.3 will be installed even though this is effectively installing the same package twice. Depending on the order dependencies are listed, 4.4 may be installed first and then 4.3 which will successfully downgrade the org to 4.3. This is a big problem if the ParentPKG was built using DGPackage 4.4 as it will fail to install with a dependency error even though update_dependencies was run.
Describe the bug
This is half a Salesforce bug because I can't believe it is allowed at all.
It seems that both Salesforce and CumulusCI both will happily allow a minor version downgrade of unlocked packages.
Reproduction steps
Expected: version 4.4 will be the final installed version of DGPackage
Actual: Both 4.4 and 4.3 will be installed even though this is effectively installing the same package twice. Depending on the order dependencies are listed, 4.4 may be installed first and then 4.3 which will successfully downgrade the org to 4.3. This is a big problem if the ParentPKG was built using DGPackage 4.4 as it will fail to install with a dependency error even though update_dependencies was run.
Your CumulusCI and Python versions
CumulusCI version: 3.77.0 (/Users/kai.amundsen/.local/bin/cci) Python version: 3.10.9 (/Users/kai.amundsen/.local/pipx/venvs/cumulusci/bin/python)
Operating System
macOS 13.4.1
Windows environment
No response
CumulusCI installation method
None
Error Gist
No response
Additional information
No response