Pana should consider local version if dependency_overrides is given

[marandaneto]

Thanks for making pana better day by day.

pana could have an optional parameter like pana --allow-overrides to be used in CI during development.

The reason is that sometimes during local development, you add/remove things (APIs, methods, classes, etc...) that will make pana drop your points due to checking the latest version based on the dependency constraints.
This optional parameter would be likely used during development and CI before you get the chance to publish your new version.

E.g. https://github.com/getsentry/sentry-dart/runs/5276357655?check_suite_focus=true

[sigurdm]

Not sure I understand completely.

What would the semantics of --allow-overrides be?

Is it about dependency_overrides?

In my local testing pana . takes dependency_overrides into account. Perhaps this is an issue with https://github.com/axel-op/dart-package-analyzer and how it invokes pana?

[marandaneto]

Apparently, the dart package analyzer GH Action only calls pana with json and no-warning
https://github.com/axel-op/dart-package-analyzer/blob/master/app/bin/main.dart#L52-L53

I could actually reproduce that locally too.

Trying to explain with a real use case.

LibA is version 1.0.0 and has already been published.
LibB depends on LibA and it has a dependency_overrides using a local path, for debugging it locally.

LibA gets a new method, but it's not published yet on pub.dev.
LibB consumes this new method from LibA, and it compiles locally, since dependency_overrides forces using the local version which contains the new method from LibA.

Running pana on LibB fails due to the missing method on LibA, since it looks like it does not respect the dependency_overrides and rather pull the latest stable version, which is 1.0.0

I see that the GH Action plugin executes this as well:

dart pub outdated --json --up-to-date --no-dev-dependencies --no-dependency-overrides`

Maybe --no-dependency-overrides is the culprit?

[sigurdm]

Maybe --no-dependency-overrides is the culprit?

Ah yes - I didn't think about the call to dart pub outdated!

Not sure what is best here, but I feel adding another command-line parameter for this would make the tool hard to use correctly. Hopefully we could find a default behavior that makes sense.

Perhaps we should leave --no-dependency-overrides out when analyzing a local folder...

[marandaneto]

Perhaps we should leave --no-dependency-overrides out when analyzing a local folder...

Yep, that would be ideal, otherwise, it makes pana very flaky on CI when using with monorepo that depends on each other and using dependency_overrides for debugging reasons.

[Jordan-Nelson]

Another option would be to add a --no-pub flag to skip pulling in dependencies with pub. --no-pub is an option that the flutter CLI has. Here is the description from the flutter CLI:

--[no-]pub Whether to run "flutter pub get" before executing this command. (defaults to on)

For my use case, I am trying to use pana in CI in a monorepo that uses melos. We use the --no-pub option in CI for commands like flutter test because we do not want dependencies pulled from pub, we want local versions used.

I am assuming that pana is running pub get at some point. Adding a flag to simply skip that would enable use in mono repos that use melos.

[sigurdm]

Perhaps we should leave --no-dependency-overrides out when analyzing a local folder...

@isoos let's do this

[sigurdm]

We should still do this.