See: https://dart.dev/guides/libraries/private-files#pubspeclock
Today, we say:
For library packages, do not commit the
pubspec.lockfile.
For application packages, it鈥檚 up to you whether you commit thepubspec.lockfile. Consider checking it in if you want to track the dependencies that are used for production or across a team.
I think, it would be better to say: (_or something along these lines_)
For library packages, it can be a good idea to not commit the
pubspec.lockfile. Committing thepubspec.lockfile will not affect package consumers, they are likely to get the latest dependencies allowed bypubspec.yaml. Therefore it can be a good idea to avoid locking your dependencies and test against the latest versions of your dependencies. However, committing thepubspec.lockfile may produce more consistent CI test results, and whether or not to commit it can be a matter of personal preference and workflow.
I _strongly_ think, it would be better to say: (_or something along these lines_)
For application packages, always do commit the
pubspec.lock. This will lock your dependencies, so that code changes in your dependencies doesn't sneak in as your application progresses from development, to integration testing, to product release, to product support.
When developing a library package the pubspec.lock will not affect the package consumers.
When pub get downloads a package it will not read the pubspec.lock from the package being downloaded. Package consumers will always get the latest dependencies compatible with the constraints in pubspec.yaml.
Hence, whether you choose to keep pubspec.lock under source control is a matter of personal preference (or workflow).
Reasons to keep pubspec.lock in git includes:
For large teams working on a library package, locking dependencies might make sense. Because intermittent CI results can be disruptive to the workflow.
The counter argument is that you easily forget to test against latest dependencies if your CI system isn't doing it. And the package consumers will likely get the latest dependencies, so it's unfortunate that you're not testing against them.
I don't feel too strongly about recommendation we give, but making it clear that pubspec.lock won't affect package consumers seems like a good idea.
When developing an application package the pubspec.lock specifies part of the code that makes up your application. If you don't commit the pubspec.lock file, you may inadvertently upgrade your dependencies between testing and deployment. Common scenarios include:
git push heroku for deployment), Google Cloud Build which can deploy to AppEngine, Cloud Run, etc.Doing any of this without a pubspec.lock under source control and you may easily deploy a configuration you have not tested. And once you have deployed this untested configuration, you may have a hard time reproducing issues reported by users, because you might have different dependencies (and it's hard to guess which packages was actually deployed into production).
Therefore it is in my opinion very important that application developers keep pubspec.lock under source control.
CC @sigurdm, @mit-mit, @natebosch, @jakemac53, please tune-in if you have any thoughts.
I just earlier today suggested to @kwalrath in email:
change:
**For application packages**, it's up to you whether you
commit the `pubspec.lock` file.
Consider checking it in if you want to track the dependencies that
are used for production or across a team.
to something like:
**For application packages**, we recommend that you
commit the `pubspec.lock` file.
This ensures everyone working on the app use the exact same versions.
change:
**For library packages**, do **not** commit the `pubspec.lock` file.
to something like:
**For library packages**, do **not** commit the `pubspec.lock` file.
This ensures you test your package against the latest compatible versions
of its dependencies.
This ensures you test your package against the latest compatible versions
of its dependencies.
"Ensures" is a strong word - there are other misconfigurations that could change this. I'd go with "This allows you to test your package..."
"Ensures" is a strong word - there are other misconfigurations that could change this. I'd go with "This allows you to test your package..."
Agreed. I often have a local pubspec.lock that is really old, because I forget to updated. But on travis I'll usually test against latest dependencies.
I mostly care that we: Strongly recommend _application packages_ do commit pubspec.lock.
(to mitigate dependency changes between dev, test, QA and production deployments).
I argue in the rationale above that: for _library packages_ whether or not to commit pubspec.lock is a matter of personal preference. But I care less if we emphasize this, people will do what they want anyways :)
(still it might be nice to point out, that if pubspec.lock is committed it won't affect package consumers)
Most helpful comment
I just earlier today suggested to @kwalrath in email:
for apps:
change:
to something like:
for packages:
change:
to something like: