Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Imporouvment] beeing warned if paket.lock was edited
See original GitHub issueDescription
In some scenario we found out that paket.lock has been edited. It could be for good or bad reason, this is not the point.
The thing that we found out that constraints were edited instead of pinning third part for example
This issue is that when you try to rollback to these previous state, removing paket.lock and redo a paket install it took us few hours to understand that it was in fact a manual edit that was the origin
I was wondering if there was a way to add a Hash in the very first lines of the paket.lock, that way, when using paket restore paket install paket add paket update …
We would have a WARN or even ERROR(a paramter of the paket.dependencies
Repro steps
- create a project with package that have dependencies + transitie
- manually edit
paket.lock: the version constrains of the transitive packages - make sure constrains make no sense (like skip a major)
- run a
paket restore==> no idea it was edited - backup
paket.lockand remove it (rename it ?) - run a
paket install - compare new and old
paket.lock
Expected behavior
Got warn or failure when any action reading / modifing paket.lock that does not match
An idea would be to add a line wish HASH of the resulted paket.lock
It would only required to rehash the paket.lock (expection of this line for evident reason)
then we could have warnings about manual edition
Bonus: Beeing able to choose warning or error (just like WARN AS ERROR)
Actual behavior
silent
Known workarounds
None, we could try to see in Source control, but if the same commit contains both install+edit Depending on constraints it is impossible to be sur that running paket install will endup with the same lock
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think we have some change-detection in place. But it didn’t seem to catch your use case. Usually paket warns when it detects that the dependencies-file doesn’t match with the lockfile. However, this can really only go so far…
Consider if someone edits the lockfile and updates the hash-file by hand. What to do now? Add another hash file for the hash file? IMHO Basically if users edit the file you need to assume they know what they are doing, such things need to be detected by code-reviews or other means.
i though i closed it, my bad
conclusion is, we got no way to detect that or remove paket.lock, run a paket install and compare both paket.lock and do a review (That won’t happen i guess)