[Proposal] Mix deps.get option to avoid updating the lockfile

33 views
Skip to first unread message

Alessio Biancalana

unread,
Mar 17, 2020, 10:54:11 AM3/17/20
to elixir-lang-core
Hello,
It's my first time proposing a feature for a programming language so I don't know how to deal with it and I hope to do it right :-)

Coming from other ecosystems I saw that some platforms offer a way to avoid updating the lockfile while downloading dependencies for a project, mainly for software delivery and continuous integration purposes. One example of this is the `npm ci` command, or `yarn install --frozen-lockfile` command, for JavaScript projects.

I love the idea to provide an option to operate with a project avoiding generating new files or modifying existing ones, so I was thinking about adding something like `mix deps.get --ci` or `mix deps.get --avoid-lockfile-update`. I basically didn't want to steal the "frozen lockfile" name, even if it is nice :-D

From my point of view this could be a nice improvement, looking forward to hearing from you,

Alessio

José Valim

unread,
Mar 17, 2020, 11:01:47 AM3/17/20
to elixir-l...@googlegroups.com
AFAIK, mix deps.get doesn't update the lockfile. If it does, it is a bug. :)

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/7538c297-6b3a-4d63-9324-4a1bd00b0cbe%40googlegroups.com.

Alessio 'Blaster' Biancalana

unread,
Mar 17, 2020, 11:06:50 AM3/17/20
to elixir-l...@googlegroups.com
Hi José,
Wow, this is an unexpected turn of events. :-D I will track if it happens again, sometimes my provisioning scripts (ansible roles and stuff like that) find local modifications in my repos so it definitely gets updated. I will come back with a more detailed analysis then, thank you for the kind reply!

Alessio

Wojtek Mach

unread,
Mar 17, 2020, 11:08:14 AM3/17/20
to elixir-l...@googlegroups.com
Yeah, `mix deps.get` would create the lock file if there isn’t one, but I also believe it would not update it unless you also change your deps. If that isn’t the case I would also argue that’s a bug (i.e. —frozen-lockfile would be implicit. An exception is where we change the lock file format, e.g. recent hex checksum changes.)

Alexei Sholik

unread,
Mar 17, 2020, 5:20:47 PM3/17/20
to elixir-lang-core
Sometimes the lockfile is updated when its format changes, but all the deps remain at the same versions. I've seen that a number of times when upgrading the version of Hex and/or Elixir.

To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/A06806CB-0ED7-4DD2-B432-5C71294C1997%40wojtekmach.pl.


--
Best regards
Alexei Sholik

Alessio 'Blaster' Biancalana

unread,
Mar 18, 2020, 4:26:08 AM3/18/20
to elixir-l...@googlegroups.com
Thanks to all for the answers! It makes a bit more sense now :-) In CI or delivery envs nonetheless you don't want the lockfile to be changed at all. I'll dive more and come back with something more structured.

Alessio

To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAAPY6eMUOV53HKsWQcyk_kh7ZrYJHJvu3PbHtckVgAW4BSVsrQ%40mail.gmail.com.

Norbert Melzer

unread,
Mar 18, 2020, 6:32:19 AM3/18/20
to elixir-lang-core
The "rewrite lockfile" on format change is actually a problem on nixOS, where even in not sandboxed builds, the sourcefiles are read-only and therefore `mix deps.get` might crash, just because it wants to update the lock file.

It would be indeed nice if there were an option (or environment variable) which would avoid writing back to the lock file.


To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAK6%2BgZL-JD%3DiO0Rpat-mBff_jUyegZ68-T26XUe1caJRow-xHw%40mail.gmail.com.

José Valim

unread,
Mar 18, 2020, 7:00:57 AM3/18/20
to elixir-l...@googlegroups.com
As I said, mix deps.get should not change the .lock file, ever. If it does, it is a bug.

To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CA%2BbCVsuvFxpsOMWcK0vFRDvoaksQYn6io1G1eZ7d0u4Ou44kgw%40mail.gmail.com.

Johanna Larsson

unread,
Mar 18, 2020, 10:19:31 AM3/18/20
to elixir-lang-core
To clarify a bit, the reason `yarn install --frozen-lockfile` exists is not because `yarn install` will modify the lock file randomly, it's because someone can check in code where they modified the `package.json` but didn't update the lockfile. The same would be possible with mix, where you update dependency versions in mix.exs but then don't run mix deps.get. The reason you want to run `yarn install --frozen-lockfile`, which fails if the package.json and lockfile are out of sync, is to ensure that nobody accidentally checks in changes to package.json without having also updated the lockfile. Possibly this is less of a problem in Elixir, since you wouldn't normally be able to install deps without updating the lockfile, while in a node environment you just use `npm install` instead of `yarn install` or vice versa.

`npm ci` does some other stuff too related to "best practice" around running in CI https://docs.npmjs.com/cli/ci.html
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.


--
Best regards
Alexei Sholik

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

José Valim

unread,
Mar 18, 2020, 11:11:50 AM3/18/20
to elixir-l...@googlegroups.com
Oh, this is very useful background, thanks Johanna. Now it makes sense and I see the reason to have such flag.

To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/e36fd939-6a77-480a-8ca5-50d6a6a5064e%40googlegroups.com.

Thomas Depierre

unread,
Mar 18, 2020, 1:03:01 PM3/18/20
to elixir-lang-core
It does happen from time to time when the format of the lock file change. I have seen it happen, like adding hash or changing the hash function. That is good to know, i will report it if i see it again.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.


--
Best regards
Alexei Sholik

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-l...@googlegroups.com.

Norbert Melzer

unread,
Mar 18, 2020, 4:16:30 PM3/18/20
to elixir-lang-core
Compiling the elixir-ls from v0.3.0 with a recent version of the hex plugin will cause a rewrite of the lockfile.

To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/68a1e870-570f-4ee4-812f-d5a22d861514%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages