Paket do not keeps versions locked for dependencies

[tsibelman]

Hi have following paket.dependencies file I set all 3 dependencies to be locked to specific version

source https://www.nuget.org/api/v2/

framework: net451
redirects: on

nuget Microsoft.Orleans.Core 1.1.1
nuget Microsoft.Orleans.CounterControl 1.1.1
nuget Microsoft.Orleans.OrleansRuntime 1.1.1

When paket.lock is created it looks like this:

Microsoft.Orleans.Core (1.1.1)
Newtonsoft.Json (>= 6.0.8)
Microsoft.Orleans.CounterControl (1.1.1)
Microsoft.Orleans.Core** (>= 1.1.1)**
Microsoft.Orleans.OrleansRuntime** (>= 1.1.1)**
Microsoft.Orleans.OrleansRuntime (1.1.1)
Microsoft.Orleans.Core** (>= 1.1.1)**

All dependencies are more permissive that is specified. I understand that these dependencies ranges are coming from nugets but I think they should be overridden in lock file. This will allow us to force users to use specific version of transitive dependencies

[forki]

The indented lines are only showing the restrictions from the package nuspec. They are combined with the stuff that you specify in the dependencies file. As a result you see that we select the correct versions.

[forki]

In other words: indented lines are only for information. They don't represent what we select

[tsibelman]

Ok I see that when I create nuget packages the dependencies from paket.dependencies are not used in nuspec

[forki]

Or maybe I don't understand what you are describing.

[tsibelman]

I will try again :)

I created some nuget let's call it Common.dll, that has dependency on 3 Microsoft.Orleans nugets of specific version, I checked the nuspec file and it looks like all dependencies there are correct, here a sample:

  <dependency id="Microsoft.Orleans.OrleansRuntime" version="1.1.1" />
  <dependency id="Microsoft.Orleans.CounterControl" version="1.1.1" />
  <dependency id="Microsoft.Orleans.Core" version="1.1.1" />

But when I use the Common.dll nuget in my other project I don't get 1.1.1 versions but get 1.1.2 version of Orleans dependencies.

[tsibelman]

Ok I see the issue is the forma of the version it writen as version="1.1.1" but it should be specified as version="[1.1.1]"
https://docs.nuget.org/create/versioning

1.0 = 1.0 ≤ x
[1.0] = x == 1.0

[forki]

dependency id="Microsoft.Orleans.OrleansRuntime" version="1.1.1"

means >= 1.1.1

[tsibelman]

Now i don't understand

[forki]

sorr reformatted

[tsibelman]

Yes but in paket i wrote it as specific version

[forki]

are you sure? Can I see a repro?

[forki]

wait a minute. I think I can reproduce

[tsibelman]

You can use the samples I used in first post.

[forki]

mhm. sorry I can't reproduce. 050bafb shows correct behaviour.

[tsibelman]

Hi I am attached scenario that can reproduce it, just rename file to zip

ConsoleApplication1.txt

[forki]

If I do pack I get:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<package xmlns="http://schemas.microsoft.com/packaging/2011/10/nuspec.xsd">
  <metadata>
    <id>ConsoleApplication1</id>
    <version>1.0.0.0</version>
    <title>ConsoleApplication1</title>
    <authors></authors>
    <description></description>
    <dependencies>
      <dependency id="Microsoft.Orleans.OrleansRuntime" version="[1.1.1]" />
      <dependency id="Microsoft.Orleans.CounterControl" version="[1.1.1]" />
      <dependency id="Microsoft.Orleans.Core" version="[1.1.1]" />
    </dependencies>
  </metadata>
</package>

[tsibelman]

I use following command to pack: paket pack output nugets minimum-from-lock-file buildplatform x64

[forki]

minimum-from-lock-file

Why didn't you say that before? ;-)

[tsibelman]

From my point of view every one should use minimum-from-lock-file exclusively :)

[forki]

nope, that's only one of possible workflows.

[forki]

anyways will add a test and a fix for that

[tsibelman]

Thank you

[forki]

please try latest

[tsibelman]

Works perfect thank you