foundry icon indicating copy to clipboard operation
foundry copied to clipboard
verified publisher icon foundry-rs

feat: warn on soldeer.lock revision mismatch during build

Open silvekkk opened this issue 2 months ago • 12 comments

Warns when git revision in soldeer.lock differs from actual dependency revision.

Closes #12357

Not sure If should add test here, let me know if need

silvekkk avatar Oct 29 '25 14:10 silvekkk

@silvekkk I think that could work too (cc @mario-eth ) but the original ticket was meant for foundry.lock and deps installed with forge install and updated with forge update

grandizzy avatar Oct 29 '25 15:10 grandizzy

updated ticket name to reflect that. thank you!

grandizzy avatar Oct 29 '25 15:10 grandizzy

cc @beeb

mario-eth avatar Oct 29 '25 15:10 mario-eth

Ideally, this check would be more thorough and do the same consistency check we do in soldeer install (hashing all the files in the dependencies). It would be best if it reused the logic and types from soldeer_core too.

beeb avatar Oct 29 '25 15:10 beeb

  • Add SHA256 checksum verification for dependencies
  • Check both checksum and git revision
  • Provide clear warnings for integrity failures
  • Follow soldeer's verification approach

is this what in your mind? @beeb cc @grandizzy @mario-eth

silvekkk avatar Oct 29 '25 20:10 silvekkk

@silvekkk You reimplemented everything which is not great, because if we ever decide to change something about the lockfile or dependencies folder structure, your code will break.

Please add a dependency to soldeer_core in forge/Cargo.toml using soldeer-core.workspace = true.

You can then use the following:

  • https://docs.rs/soldeer-core/0.9.0/soldeer_core/lock/fn.read_lockfile.html
  • https://docs.rs/soldeer-core/0.9.0/soldeer_core/install/fn.check_dependency_integrity.html

beeb avatar Oct 30 '25 07:10 beeb

@beeb Thanks for the feedback! I'vereverted and refactored to use the soldeer_core APIs:

  • Added soldeer-core dependency
  • Using read_lockfile() and check_dependency_integrity() as you suggested
  • Removed all custom implementation

silvekkk avatar Oct 30 '25 18:10 silvekkk

Thanks for the changes. Although this all feels very LLM generated, I left some comments.

beeb avatar Oct 31 '25 07:10 beeb

Thanks for the changes. Although this all feels very LLM generated, I left some comments.

Yeah, about 50–60% of the later commits were actually done with Claude’s help. I asked it to add comments, clean up the structure, and handle a few checks I probably overlooked, and final review. Haha, trust me—if you’d seen my original code, you probably wouldn’t even have felt like leaving a comment. (It was that bad.) best 20$ I paid ever

silvekkk avatar Oct 31 '25 09:10 silvekkk

@grandizzy LGTY?

silvekkk avatar Nov 12 '25 23:11 silvekkk

@grandizzy LGTY?

@silvekkk yeah, makes sense. Can we add same check for foundry.lock file too (that was the originally ticket was opened for). Thanks!

grandizzy avatar Nov 14 '25 14:11 grandizzy

@grandizzy LGTY?

@silvekkk yeah, makes sense. Can we add same check for foundry.lock file too (that was the originally ticket was opened for). Thanks!

Sure added check_foundry_lock_consistenc

silvekkk avatar Nov 17 '25 19:11 silvekkk