Skip to content

Add Package.resolved and dependabot.yml#147

Closed
incertum wants to merge 2 commits intoswift-server:mainfrom
incertum:add-resolved-packages-dependabot
Closed

Add Package.resolved and dependabot.yml#147
incertum wants to merge 2 commits intoswift-server:mainfrom
incertum:add-resolved-packages-dependabot

Conversation

@incertum
Copy link
Copy Markdown
Contributor

@incertum incertum commented Sep 26, 2025

Add Package.resolved and dependabot.yml

@incertum
new: commit Package.resolved
e471726 
Signed-off-by: Melissa Kilby <mkilby@apple.com>
@incertum
new: add dependabot.yml
02e592a 
Signed-off-by: Melissa Kilby <mkilby@apple.com>
@incertum incertum added the 🔨 semver/patch No public API change. label Sep 26, 2025
FranzBusch
FranzBusch requested changes Oct 6, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@FranzBusch FranzBusch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that we should go ahead with this PR. The recommendation right now is to not commit the resolved file in libraries since the file has no impact on users of the package. Furthermore, libraries should avoid bumping the min versions unless there is a need for it e.g. new APIs available in a dependency.

@incertum
Copy link
Copy Markdown
Contributor Author

incertum commented Oct 7, 2025

I don't think that we should go ahead with this PR. The recommendation right now is to not commit the resolved file in libraries since the file has no impact on users of the package. Furthermore, libraries should avoid bumping the min versions unless there is a need for it e.g. new APIs available in a dependency.

There is a bigger discussion ongoing around this. Let's move this PR to draft state until there are new features or a new decision / outcome in this regard.

@incertum incertum marked this pull request as draft October 7, 2025 22:32
@ktoso
Copy link
Copy Markdown
Collaborator

ktoso commented Oct 7, 2025

Yeah, it is not useful to have a Package.resolved in libraries.

Package.resolved isn't a real lock file; it doesn't matter at all in libraries either since consumer will just resolve anyway.

@incertum
Copy link
Copy Markdown
Contributor Author

incertum commented Oct 7, 2025

Yeah, it is not useful to have a Package.resolved in libraries.

Package.resolved isn't a real lock file; it doesn't matter at all in libraries either since consumer will just resolve anyway.

ACK. Hoping this changes in the future and there will be new features allowing honoring a library’s real lock file (aligning with security best practices :)).

ktoso
ktoso requested changes Oct 7, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ktoso ktoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should do this in libraries

@incertum incertum closed this Dec 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ktoso ktoso ktoso requested changes

@FranzBusch FranzBusch FranzBusch requested changes

Assignees

No one assigned

Labels

🔨 semver/patch No public API change.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@incertum @ktoso @FranzBusch