[Bug]: Lock file does not include transitive dependencies

[dudicoco]

Current Behavior (bug) A nix package could install transitive dependencies, for example the pre-commit package installs all of these dependencies: https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/tools/misc/pre-commit/default.nix#L1-L15 These transitive dependencies do not appear in the lock file.

Expected Behavior (fix) The transitive dependencies with their versions should appear in the lock file.

Additional context Please include the output of devbox version -v and a copy of your devbox.json file.

$ devbox version -v
Version:     0.5.4
Platform:    darwin_arm64
Commit:      92bb293af46fe6869648c20e4a6476dc83df0092
Commit Time: 2023-06-01T21:35:06Z
Go Version:  go1.20.4
Launcher:    0.2.0

{
  "packages": [
    "[email protected]"
  ]
}

{
  "lockfile_version": "1",
  "packages": {
    "[email protected]": {
      "last_modified": "2023-05-01T16:53:22Z",
      "resolved": "github:NixOS/nixpkgs/8670e496ffd093b60e74e7fa53526aa5920d09eb#pre-commit",
      "version": "3.2.2"
    }
}

[Lagoja]

Hey @dudicoco, thanks for reporting this issue.

Since pinning a nixpkg commit also pins all of the package's build dependencies, it is not necessary to list the transitive dependencies for reproducibility. As long as the same commit is used, all the package versions used in the derivation should be the same.

Is there a reason or usecase why you want to list the transitive dependencies in the lockfile?

[dudicoco]

Thanks for the info @Lagoja.

So how does one specify different dependencies than the ones in the same commit? For example, if I specify a python version in devbox.json, the pre-commit package would still use the python version from its commit. How can we enforce it to use a different python version, or not install that dependency at all?

[dudicoco]

Hi @Lagoja, any updates on this issue?