[Imporouvment] beeing warned if paket.lock was edited
See original GitHub issueDescription
In some scenario we found out that paket.lock
has been edited. It could be for good or bad reason, this is not the point.
The thing that we found out that constraints were edited instead of pinning third part for example
This issue is that when you try to rollback to these previous state, removing paket.lock
and redo a paket install
it took us few hours to understand that it was in fact a manual edit that was the origin
I was wondering if there was a way to add a Hash in the very first lines of the paket.lock
, that way, when using paket restore
paket install
paket add
paket update
…
We would have a WARN
or even ERROR
(a paramter of the paket.dependencies
Repro steps
- create a project with package that have dependencies + transitie
- manually edit
paket.lock
: the version constrains of the transitive packages - make sure constrains make no sense (like skip a major)
- run a
paket restore
==> no idea it was edited - backup
paket.lock
and remove it (rename it ?) - run a
paket install
- compare new and old
paket.lock
Expected behavior
Got warn or failure when any action reading / modifing paket.lock
that does not match
An idea would be to add a line wish HASH of the resulted paket.lock
It would only required to rehash the paket.lock
(expection of this line for evident reason)
then we could have warnings about manual edition
Bonus: Beeing able to choose warning or error (just like WARN AS ERROR)
Actual behavior
silent
Known workarounds
None, we could try to see in Source control, but if the same commit contains both install+edit Depending on constraints it is impossible to be sur that running paket install will endup with the same lock
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (7 by maintainers)
Top GitHub Comments
I think we have some change-detection in place. But it didn’t seem to catch your use case. Usually paket warns when it detects that the dependencies-file doesn’t match with the lockfile. However, this can really only go so far…
Consider if someone edits the lockfile and updates the hash-file by hand. What to do now? Add another hash file for the hash file? IMHO Basically if users edit the file you need to assume they know what they are doing, such things need to be detected by code-reviews or other means.
i though i closed it, my bad
conclusion is, we got no way to detect that or remove paket.lock, run a paket install and compare both paket.lock and do a review (That won’t happen i guess)