Use locked versions (#516)

* Use locked versions * Update mix.exs * Update mix.exs
2025-02-20 21:04:17 +08:00 · 2021-08-25 11:52:41 +02:00 · 2021-08-25 11:52:41 +02:00 · c595ea968b
commit c595ea968b
parent 90a52e9295
1 changed files with 41 additions and 16 deletions
--- a/mix.exs
+++ b/mix.exs
@ -15,7 +15,7 @@ defmodule Livebook.MixProject do
      compilers: [:phoenix] ++ Mix.compilers(),
      start_permanent: Mix.env() == :prod,
      aliases: aliases(),
-      deps: deps(),
+      deps: with_lock(deps()),
      escript: escript(),
      releases: releases(),
      package: package()
@ -32,32 +32,57 @@ defmodule Livebook.MixProject do
  defp elixirc_paths(:test), do: ["lib", "test/support"]
  defp elixirc_paths(_), do: ["lib"]

+  # Although we use requirements here, the with_lock() function
+  # below ensures we only use the locked versions. This is important
+  # for two reasons:
+  #
+  #   1. because we bundle assets from phoenix, phoenix_live_view,
+  #      and phoenix_html, we want to make sure we have those exact
+  #      versions
+  #
+  #   2. we don't want users to potentially get a new dependency
+  #      when installing from git or as an escript
+  #
+  # Therefore, to update any dependency, you must call before:
+  #
+  #     mix deps.unlock foo bar baz
+  #
  defp deps do
    [
-      # We point phoenix, phoenix_live_view and phoenix_html to
-      # exact versions, because we install the corresponding npm
-      # packages directly from the local deps (using "file:"),
-      # they end up in the final assets bundle and the Elixir-side
-      # versions must match at runtime. Specifically, this is
-      # necessary because mix.lock is not loaded when installing
-      # the Escript and we don't want newer versions to be installed.
-      {:phoenix, "1.5.10"},
-      {:phoenix_live_view, "0.16.0"},
+      {:phoenix, "~> 1.5"},
+      {:phoenix_html, "~> 3.0"},
+      {:phoenix_live_view, "~> 0.16.0"},
      {:phoenix_live_dashboard, "~> 0.5.0"},
-      {:floki, ">= 0.27.0", only: :test},
-      {:phoenix_html, "3.0.0"},
-      {:phoenix_live_reload, "~> 1.2", only: :dev},
      {:telemetry_metrics, "~> 0.4"},
      {:telemetry_poller, "~> 0.4"},
      {:jason, "~> 1.0"},
      {:plug_cowboy, "~> 2.0"},
      {:earmark_parser, "~> 1.4"},
-      {:bypass, "~> 2.1", only: :test},
      {:castore, "~> 0.1.0"},
-      {:aws_signature, "~> 0.1.0"}
+      {:aws_signature, "~> 0.1.0"},
+      {:phoenix_live_reload, "~> 1.2", only: :dev},
+      {:floki, ">= 0.27.0", only: :test},
+      {:bypass, "~> 2.1", only: :test}
    ]
  end

+  @lock (with {:ok, contents} <- File.read("mix.lock"),
+              {:ok, quoted} <- Code.string_to_quoted(contents, warn_on_unnecessary_quotes: false),
+              {%{} = lock, _binding} <- Code.eval_quoted(quoted, []) do
+           for {dep, hex} when elem(hex, 0) == :hex <- lock,
+               do: {dep, elem(hex, 2)},
+               into: %{}
+         else
+           _ -> %{}
+         end)
+
+  defp with_lock(deps) do
+    for dep <- deps do
+      name = elem(dep, 0)
+      put_elem(dep, 1, @lock[name] || elem(dep, 1))
+    end
+  end
+
  defp aliases do
    [
      "dev.setup": ["deps.get", "cmd npm install --prefix assets"],
@ -93,7 +118,7 @@ defmodule Livebook.MixProject do
      links: %{
        "GitHub" => "https://github.com/livebook-dev/livebook"
      },
-      files: ~w(lib priv config mix.exs README.md LICENSE CHANGELOG.md)
+      files: ~w(lib priv config mix.exs mix.lock README.md LICENSE CHANGELOG.md)
    ]
  end
 end