dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

[dart/pub] Dependabot is incorrectly and unexpectedly changing pubspec.lock flutter constraint from "3.35.6" to ">=3.35.6"

Open acoutts opened this issue 2 months ago • 6 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Package ecosystem

dart

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "pub"
    directory: "/frontend"
    schedule:
      interval: "weekly"
    ignore:
      - dependency-name: "flutter"
    assignees:
      - "acoutts"

Updated dependency

Dependabot correctly bumped the dependency version for the dependency it was updating, but every time it modifies the lock file it incorrectly updates the flutter constraint from the fixed value specified in pubspec.yaml, to a >= which is not the correct behavior.

pubspec.yaml:

environment:
  sdk: 3.9.2
  flutter: 3.35.6

pubspec.lock diff:

sdks:
  dart: "3.9.2"
-  flutter: "3.35.6"
+  flutter: ">=3.35.6"

If you checkout the branch from dependabot and run flutter pub get, the pub command puts the lock file constraint back to 3.35.6 like expected, so dependabot is incorrectly and unexpectedly changing this constraint.

What you expected to see, versus what you actually saw

Dependabot should produce pubspec lock files that are consistent with the output from the real pub get command.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Image

Smallest manifest that reproduces the issue

No response

acoutts avatar Nov 03 '25 15:11 acoutts

Do you have workspace resolution enabled?

kuhnroyal avatar Nov 05 '25 12:11 kuhnroyal

We do indeed. dependabot.yml is pointed to the dart workspace folder and inside it is our app package. But this bug was affecting us before we implemented the workspace so it appears to not be the workspace being an issue but a misinterpretation of the flutter sdk version constraint.

acoutts avatar Nov 05 '25 13:11 acoutts

For me this started with the workspace I think.

kuhnroyal avatar Nov 05 '25 15:11 kuhnroyal

@acoutts we are able to reproduce your issue from our side, we acknowledge your concern, and have linked a PR that may fix the issue. Though we are still investigating whether this aligns with our philosophy, despite what the behavior of the package manager may be:

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference

Thank you for your patience, and we will resolve this shortly.

a-schur avatar Dec 09 '25 20:12 a-schur

This should not happen - it might be a bug in pub - the range in pubspec.lock should be the intersection of all the ranges of flutter constraints in all the pubspec.yamls.

For historic reasons we have ignored the upper bound of the flutter constraint in pubspec.yaml, (this was to allow flutter to change its major version number without breaking compatibility).

Recently we did a change, so this interpretation only counts for dependencies, not for packages in the workspace. But that should have had the opposite effect of what you are describing, it should go from a range to a single version.

Do you have a reproduction and before/after flutter versions I can try out? I'd like to get to the bottom of this

But that is a bit besides point here, since the dependabot integration specifically uses the oldest flutter version in sdk range from the analyzed pubspec.yaml, not from pubspec.lock to analyze the package:

https://github.com/dependabot/dependabot-core/blob/698cdce9b1a70559f4c36079af4852ddc7e5069a/pub/helpers/bin/infer_sdk_versions.dart#L144

@a-schur consider waiting with the fix, until we have a better understanding here.

sigurdm avatar Dec 11 '25 09:12 sigurdm

@ a-schur perhaps can you share the reproduction you did? I am not sure what flutter version this started at as I've only recently started using dependabot like this. Is it possible this is not just a recent regression but has instead been present for a while?

acoutts avatar Dec 11 '25 10:12 acoutts

@sigurdm Thanks for taking a look at this! I just went through the history in one of the affected projects.

The problem seems to be that the behavior between pub get and dependabot (dependency_services) is no longer aligned.

Historically (before pub workspaces) - Flutter 3.27.0 for example

Historically we always had a range in the lock file. It worked the same way for pub get and dependabot.

# pubspec.yaml
environment:
  flutter: '3.27.0'

# pubspec.lock
sdks:
  flutter: ">=3.27.0"

Now - pub workspace

Now we have a difference between pub get, which does not create a range unless all packages have a range defined. And dependabot which always creates a range.

pub get

# /pubspec.yaml
environment:
  flutter: '3.35.0'

# /foo/pubspec.yaml
environment:
  flutter: '3.35.0'

# pubspec.lock
sdks:
  flutter: "3.35.0"

dependabot

# /pubspec.yaml
environment:
  flutter: '3.35.0'

# /foo/pubspec.yaml
environment:
  flutter: '3.35.0'

# pubspec.lock
sdks:
  flutter: ">=3.35.0"

kuhnroyal avatar Dec 11 '25 13:12 kuhnroyal

I just did a test as well, brand new flutter create project (no workspace):

Pubspec:

environment:
  sdk: ^3.9.2
  flutter: ^3.35.6

Lock:

sdks:
  dart: ">=3.9.2 <4.0.0"
  flutter: ">=3.35.6 <4.0.0"

Now with a single version specified: Pubspec:

environment:
  sdk: ^3.9.2
  flutter: 3.35.6

Lock:

sdks:
  dart: ">=3.9.2 <4.0.0"
  flutter: "3.35.6"

Are you sure you observe >= in your lock file @kuhnroyal ? It should not be doing that, either from pub or dependabot. If you specify an explicit version constraint that means exactly that version and nothing else, it should not be interpreted as >=, that should only be the case if you use ^ or >=.

acoutts avatar Dec 11 '25 14:12 acoutts

Ah - I get it now, thanks!, this is because dependabot is using a fixed version of pub, with an overridden version of the sdk for resolving.

We should upgrade the version of pub that dependabot is using here:

https://github.com/dependabot/dependabot-core/blob/7e1007c9e143c5568f0035dc12144b84fafa8725/pub/helpers/pubspec.yaml#L15

sigurdm avatar Dec 11 '25 14:12 sigurdm

@ a-schur perhaps can you share the reproduction you did? I am not sure what flutter version this started at as I've only recently started using dependabot like this. Is it possible this is not just a recent regression but has instead been present for a while?

@acoutts I created this repository: https://github.com/dsp-testing/unexpected-flutter-constraint

and ran dry run against it (running the cli didnt show changes to the lockfile) bin/dry-run.rb dsp-testing/unexpected-flutter-constraintb --dir=/frontend

a-schur avatar Dec 12 '25 22:12 a-schur

Ah - I get it now, thanks!, this is because dependabot is using a fixed version of pub, with an overridden version of the sdk for resolving.

We should upgrade the version of pub that dependabot is using here:

dependabot-core/pub/helpers/pubspec.yaml

Line 15 in 7e1007c

ref: fa941d583cd4952384d383fedf4bf4e472312249

@sigurdm to be clear, the correct action is to make no changes to dependabot-core logic, however you do want me to update the pub dependency version in pub/helpers/pubspec.yaml

a-schur avatar Dec 12 '25 22:12 a-schur

@acoutts The repo I shared did not include grpc or protobuf. Could you share a link to one of the Dependabot PRs where this issue occurred, or a lockfile? This would help us to test the fix were working on.

a-schur avatar Dec 13 '25 00:12 a-schur