Skip to content

fix: invalidate lock file when an inline package definition changes#6529

Draft
Hofer-Julian wants to merge 1 commit into
prefix-dev:mainfrom
Hofer-Julian:inline-invalidate
Draft

fix: invalidate lock file when an inline package definition changes#6529
Hofer-Julian wants to merge 1 commit into
prefix-dev:mainfrom
Hofer-Julian:inline-invalidate

Conversation

@Hofer-Julian

@Hofer-Julian Hofer-Julian commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Description

The satisfiability check trusted locked source records with immutable (git or url pinned) sources without consulting the consuming manifest. An inline package definition lives in that manifest, so adding or editing fields like host-dependencies or run-dependencies there kept reporting the lock file as up-to-date and the new dependencies never resolved.

Recompute the record's identifier hash with the content hash of the inline definition currently in the manifest and force a re-lock on mismatch. This requires hashing the build and host package sets order-insensitively, because the lock file normalizes the order of those references and the solve-time order is not reproducible after a round trip.

Fixes #6527

How Has This Been Tested?

Local tests

AI Disclosure

  • This PR contains AI-generated content.
    • I have tested any AI-generated content in my PR.
    • I take responsibility for any AI-generated content in my PR.

Tools: Claude

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added sufficient tests to cover my changes.
  • I have verified that changes that would impact the JSON schema have been made in schema/model.py.

The satisfiability check trusted locked source records with immutable
(git or url pinned) sources without consulting the consuming manifest.
An inline package definition lives in that manifest, so adding or
editing fields like host-dependencies or run-dependencies there kept
reporting the lock file as up-to-date and the new dependencies never
resolved.

Recompute the record's identifier hash with the content hash of the
inline definition currently in the manifest and force a re-lock on
mismatch. This requires hashing the build and host package sets
order-insensitively, because the lock file normalizes the order of
those references and the solve-time order is not reproducible after a
round trip.

Fixes prefix-dev#6527
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug(inline packages): metadata change on immutable source (git or url) doesn't invalidate build

1 participant