From c595ea968b6367716d614f270997fa77c765efd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@dashbit.co>
Date: Wed, 25 Aug 2021 11:52:41 +0200
Subject: [PATCH] Use locked versions (#516)

* Use locked versions

* Update mix.exs

* Update mix.exs
---
 mix.exs | 57 +++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 41 insertions(+), 16 deletions(-)

diff --git a/mix.exs b/mix.exs
index d3c1bc574..1fc3be75d 100644
--- a/mix.exs
+++ b/mix.exs
@@ -15,7 +15,7 @@ defmodule Livebook.MixProject do
       compilers: [:phoenix] ++ Mix.compilers(),
       start_permanent: Mix.env() == :prod,
       aliases: aliases(),
-      deps: deps(),
+      deps: with_lock(deps()),
       escript: escript(),
       releases: releases(),
       package: package()
@@ -32,32 +32,57 @@ defmodule Livebook.MixProject do
   defp elixirc_paths(:test), do: ["lib", "test/support"]
   defp elixirc_paths(_), do: ["lib"]
 
+  # Although we use requirements here, the with_lock() function
+  # below ensures we only use the locked versions. This is important
+  # for two reasons:
+  #
+  #   1. because we bundle assets from phoenix, phoenix_live_view,
+  #      and phoenix_html, we want to make sure we have those exact
+  #      versions
+  #
+  #   2. we don't want users to potentially get a new dependency
+  #      when installing from git or as an escript
+  #
+  # Therefore, to update any dependency, you must call before:
+  #
+  #     mix deps.unlock foo bar baz
+  #
   defp deps do
     [
-      # We point phoenix, phoenix_live_view and phoenix_html to
-      # exact versions, because we install the corresponding npm
-      # packages directly from the local deps (using "file:"),
-      # they end up in the final assets bundle and the Elixir-side
-      # versions must match at runtime. Specifically, this is
-      # necessary because mix.lock is not loaded when installing
-      # the Escript and we don't want newer versions to be installed.
-      {:phoenix, "1.5.10"},
-      {:phoenix_live_view, "0.16.0"},
+      {:phoenix, "~> 1.5"},
+      {:phoenix_html, "~> 3.0"},
+      {:phoenix_live_view, "~> 0.16.0"},
       {:phoenix_live_dashboard, "~> 0.5.0"},
-      {:floki, ">= 0.27.0", only: :test},
-      {:phoenix_html, "3.0.0"},
-      {:phoenix_live_reload, "~> 1.2", only: :dev},
       {:telemetry_metrics, "~> 0.4"},
       {:telemetry_poller, "~> 0.4"},
       {:jason, "~> 1.0"},
       {:plug_cowboy, "~> 2.0"},
       {:earmark_parser, "~> 1.4"},
-      {:bypass, "~> 2.1", only: :test},
       {:castore, "~> 0.1.0"},
-      {:aws_signature, "~> 0.1.0"}
+      {:aws_signature, "~> 0.1.0"},
+      {:phoenix_live_reload, "~> 1.2", only: :dev},
+      {:floki, ">= 0.27.0", only: :test},
+      {:bypass, "~> 2.1", only: :test}
     ]
   end
 
+  @lock (with {:ok, contents} <- File.read("mix.lock"),
+              {:ok, quoted} <- Code.string_to_quoted(contents, warn_on_unnecessary_quotes: false),
+              {%{} = lock, _binding} <- Code.eval_quoted(quoted, []) do
+           for {dep, hex} when elem(hex, 0) == :hex <- lock,
+               do: {dep, elem(hex, 2)},
+               into: %{}
+         else
+           _ -> %{}
+         end)
+
+  defp with_lock(deps) do
+    for dep <- deps do
+      name = elem(dep, 0)
+      put_elem(dep, 1, @lock[name] || elem(dep, 1))
+    end
+  end
+
   defp aliases do
     [
       "dev.setup": ["deps.get", "cmd npm install --prefix assets"],
@@ -93,7 +118,7 @@ defmodule Livebook.MixProject do
       links: %{
         "GitHub" => "https://github.com/livebook-dev/livebook"
       },
-      files: ~w(lib priv config mix.exs README.md LICENSE CHANGELOG.md)
+      files: ~w(lib priv config mix.exs mix.lock README.md LICENSE CHANGELOG.md)
     ]
   end
 end