[question] lockfile validation

[jsallay]

What is your question?

Is there a good/correct way to see if a lockfile is valid for a given conanfile and what all of the problems are? If I update dependencies in my conanfile then I need to run either conan lock create . or conan lock update --requires dep/version. If I forget to update and run a command like conan graph info ., it tells me the first dependency that it finds that isn't in the lockfile but not all of them.

I am thinking of something like conan graph info . showing me what binaries are missing but for lockfile entries.

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[memsharded]

Hi @jsallay

Thanks for your question.

I am afraid that there is no other way than just evaluating it with conan graph info/create/install....

It stops at the first "not-locked" requirement, because continuing to report others could easily produce false positives or false negatives. Because if it continues to evaluate the graph instead of stopping (in the same way a --lockfile-partial would do), it will use a not locked dependency which in turn can result in other new dependencies that are not in the lockfile, and those in turn can have other transitive dependencies.

So it seemed that trying to gather a full set of "not-locked" dependencies wouldn't be accurate and could be more confusing than helpful.

As long as the lockfile is not complete and do not lock all the necessary requirements, does it really matter that it stops and raise an error with that dependency only? What would be the utility of seeing more (potentially not fully correct) not locked dependencies?

[jsallay]

I understand where you are coming from and agree that you can easily end up with unhelpful results. I recently updated a few versions in a conanfile and forgot to update the lock file. It had been a few days and I didn't remember what exactly I had changed. Normally I would just create a new lock file in this case, but I wanted to try just updating the specific items. I ran conan graph info . and then did conan lock update --requires pkg/version to update that entry. I had to do this multiple times to get everything up to date in the lockfile.

Is there a better solution in this case? Should I just run conan lock create and not worry about it?

[memsharded]

We are trying to provide in #17577 a new conan lock upgrade that helps a bit to update lockfiles, to avoid having to do the graph info + lock update 2 commands, and to everything in a single operation.
It will contain --update-xxxx arguments to have control over what is updated and what not, still the interface has to be reviewed, and there are some things not fully clear as what would be the defaults and opt-in/opt-out for upgrading transitive requirements of the upgraded one, but we are on it.

If the conan lock upgrade is not enough, then I guess a fresh conan lock create would be the way, but it really sounds the conan lock upgrade will be the intermediate solution to have a partly controlled upgrade if that is the intention.

[jsallay]

That does sound like it would solve my problem. I'll close this issue and wait for that to be ready. Thanks.

[memsharded]

Great, let us know if you have any feedback once conan lock upgrade is out, thanks!