fix: respect update_refs in download_callback and skip logic (#548)#550
Merged
danielmeppiel merged 4 commits intoApr 2, 2026
Merged
Conversation
…ft#548) When running `apm deps update`, the BFS download_callback was using locked SHAs from the lockfile for transitive dependencies instead of resolving the latest ref. Additionally, packages marked as already_resolved in the callback unconditionally skipped SHA comparison in the sequential loop. Two changes: - download_callback: gate locked_ref usage with `not update_refs` - sequential loop: gate already_resolved skip with `not update_refs` Normal install behavior (update_refs=False) is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rosoft#548) - dependencies.md: clarify --update re-resolves transitive deps - cli-commands.md: specify 'direct and transitive' in deps update description - test_install_update_refs.py: expand from 17 to 27 tests with exhaustive truth table and improved docstrings (architect review) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes apm deps update behavior so --update (update_refs=True) does not reuse stale locked SHAs for transitive dependencies during resolution/download, aligning update behavior with expected “re-resolve latest refs” semantics.
Changes:
- Gate
download_callback()’s lockfile SHA override behindnot update_refsso updates use the manifest ref instead of the locked SHA. - Gate sequential-loop
already_resolvedskip logic behindnot update_refsso--updateforces SHA comparison instead of blindly skipping. - Add unit tests and update docs/changelog to describe “direct and transitive” update behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/apm_cli/commands/install.py |
Adjusts locked-ref selection and skip logic to respect update_refs=True. |
tests/unit/test_install_update_refs.py |
Adds tests for the two updated boolean conditions. |
docs/src/content/docs/guides/dependencies.md |
Clarifies that --update re-resolves transitive dependencies (refs) as well. |
docs/src/content/docs/reference/cli-commands.md |
Updates deps update description to explicitly include transitive deps. |
CHANGELOG.md |
Adds an [Unreleased] > Fixed entry for the bugfix. |
- Break skip_download expression across multiple lines (install.py) - Wrap parametrize argument tuple across lines (test file) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 2, 2026
danielmeppiel
approved these changes
Apr 2, 2026
sergio-sisternes-epam
added a commit
that referenced
this pull request
May 19, 2026
…550) * fix: respect update_refs in download_callback and skip logic (#548) When running `apm deps update`, the BFS download_callback was using locked SHAs from the lockfile for transitive dependencies instead of resolving the latest ref. Additionally, packages marked as already_resolved in the callback unconditionally skipped SHA comparison in the sequential loop. Two changes: - download_callback: gate locked_ref usage with `not update_refs` - sequential loop: gate already_resolved skip with `not update_refs` Normal install behavior (update_refs=False) is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: clarify transitive dep re-resolution; expand test coverage (#548) - dependencies.md: clarify --update re-resolves transitive deps - cli-commands.md: specify 'direct and transitive' in deps update description - test_install_update_refs.py: expand from 17 to 27 tests with exhaustive truth table and improved docstrings (architect review) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * style: address Copilot review formatting feedback - Break skip_download expression across multiple lines (install.py) - Wrap parametrize argument tuple across lines (test file) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Sergio Sisternes <sergio.sisternes@epam.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Daniel Meppiel <51440732+danielmeppiel@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #548 --
apm deps updatenow correctly re-resolves transitivedependencies instead of silently reusing stale locked SHAs from the lockfile.
Problem
When running
apm deps update, transitive dependencies could be skippedin two ways:
download_callback()(BFS resolution) pinned transitive deps tothe old locked SHA from
apm.lock.yaml, ignoringupdate_refs=True.already_resolved(set by the callback)unconditionally bypass SHA comparison, so even when the remote had a
newer commit the download was skipped.
The net effect:
apm deps updatewould report "All packages already atlatest refs" while transitive dependencies remained at stale commits.
Fix
Two surgical changes in
install.py(+3/-3 lines):if locked_ref:->if locked_ref and not update_refs:-- callback uses the manifest ref (latest) during
--updateinstead ofthe locked SHA.
already_resolved->(already_resolved and not update_refs)-- forces SHA comparison in the sequential loop during
--update.Normal install behavior (
update_refs=False) is completely unchanged.Testing
truth table (
test_install_update_refs.py)pushed a new commit upstream, confirmed
apm deps updatere-downloadedall 3 packages at the new SHA
Documentation
dependencies.md: clarified that--updatere-resolves transitive depscli-commands.md: specified "direct and transitive" indeps updatedescription
CHANGELOG.md: entry under[Unreleased] > FixedChanged files
src/apm_cli/commands/install.pynot update_refstests/unit/test_install_update_refs.pydocs/src/content/docs/guides/dependencies.mddocs/src/content/docs/reference/cli-commands.mdCHANGELOG.md