Closed filmor closed 3 years ago
ferd
commented
7 years ago currently, dependencies put in _checkout are unlocked. Rebar3_hex afaict is basing itself off the rebar3 lock files. The objective was explicitly to prevent or cause caution around publishing of applications when they are in an unstable dependency position.
filmor
commented
7 years ago Yes, I get that, I'm fine with the idea. However, currently rebar3 hex publish will just publish anyways, excluding the dependencies that were put into _checkouts. It should refuse to continue.
tsloughter
commented
7 years ago Yea, you are right, it needs a large warning.
Originally the idea was that the user would check the list of dependencies that publish prints out before asking for the go ahead to publish and if they weren't right the user would tell it, no.
But esp with a lot of deps that can be easy to not notice.
starbelly
commented
3 years ago Since rebar3_hex no longer publishes packages on an app wide basis, I think this can be closed. Unless I'm missing something.
filmor
commented
3 years ago I don't understand how this would have changed anything? The problem was (I think) that rebar3 drops _checkouts-deps from the lock file (and/or the internal set of locked deps) which in turn is used by rebar3_hex to determine the dependencies.
ferd
commented
3 years ago yeah and it's impossible to lock what's in checkouts because it's untracked and can contain arbitrary code changes that wouldn't reflect in the app (including messing with other transitive dependencies).
It could refuse to continue or at least show a warning that a _checkouts directory is active and might interfere with publishing.
paulo-ferraz-oliveira
commented
3 years ago I'm not sure how we can refuse a plugin from continuing, but I like Fred's warning idea.
Currently, when a dependency is put into
_checkoutsfor development,rebar3_hexwill silently remove that from the dependencies when trying to publish. It should probably prevent that or ignore the directory for this run.