Treat Git sources as immutable in lockfile (#6109)

## Summary We don't need to write metadata for Git sources, since we lock a specific SHA (and so the metadata is immutable).
2025-08-04 02:48:17 +00:00 · 2024-08-15 09:26:47 -04:00 · 2024-08-15 09:26:47 -04:00 · 7dbed4bb2d
commit 7dbed4bb2d
parent 29179570a1
3 changed files with 31 additions and 121 deletions
--- a/crates/uv-resolver/src/lock.rs
+++ b/crates/uv-resolver/src/lock.rs
@ -1808,8 +1808,10 @@ impl Source {
    ///
    /// We assume that registry sources are immutable. In other words, we expect that once a
    /// package-version is published to a registry, its metadata will not change.
+    ///
+    /// We also assume that Git sources are immutable, since a Git source encodes a specific commit.
    fn is_immutable(&self) -> bool {
-        matches!(self, Self::Registry(..))
+        matches!(self, Self::Registry(..) | Self::Git(_, _))
    }

    fn to_toml(&self, table: &mut Table) {
--- a/crates/uv/tests/edit.rs
+++ b/crates/uv/tests/edit.rs
@ -1924,16 +1924,6 @@ fn update() -> Result<()> {
            { name = "chardet" },
        ]

-        [package.metadata]
-        requires-dist = [
-            { name = "certifi", specifier = ">=2017.4.17" },
-            { name = "chardet", marker = "extra == 'use-chardet-on-py3'", specifier = "<6,>=3.0.2" },
-            { name = "charset-normalizer", specifier = "<4,>=2" },
-            { name = "idna", specifier = "<4,>=2.5" },
-            { name = "pysocks", marker = "extra == 'socks'", specifier = "!=1.5.7,>=1.5.6" },
-            { name = "urllib3", specifier = "<3,>=1.21.1" },
-        ]
-
        [[package]]
        name = "urllib3"
        version = "2.2.1"
--- a/crates/uv/tests/lock.rs
+++ b/crates/uv/tests/lock.rs
@ -2518,93 +2518,6 @@ fn lock_preference() -> Result<()> {
 fn lock_git_sha() -> Result<()> {
    let context = TestContext::new("3.12");

-    // Lock to a specific commit on `main`.
-    let pyproject_toml = context.temp_dir.child("pyproject.toml");
-    pyproject_toml.write_str(
-        r#"
-        [project]
-        name = "project"
-        version = "0.1.0"
-        requires-python = ">=3.12"
-        dependencies = ["uv-public-pypackage @ git+https://github.com/astral-test/uv-public-pypackage@0dacfd662c64cb4ceb16e6cf65a157a8b715b979"]
-        "#,
-    )?;
-
-    uv_snapshot!(context.filters(), context.lock(), @r###"
-        success: true
-        exit_code: 0
-        ----- stdout -----
-
-        ----- stderr -----
-        warning: `uv lock` is experimental and may change without warning
-        Resolved 2 packages in [TIME]
-        "###);
-
-    let lock = fs_err::read_to_string(context.temp_dir.join("uv.lock")).unwrap();
-    insta::with_settings!({
-        filters => context.filters(),
-    }, {
-        assert_snapshot!(
-            lock, @r###"
-        version = 1
-        requires-python = ">=3.12"
-
-        [options]
-        exclude-newer = "2024-03-25 00:00:00 UTC"
-
-        [[package]]
-        name = "project"
-        version = "0.1.0"
-        source = { editable = "." }
-        dependencies = [
-            { name = "uv-public-pypackage" },
-        ]
-
-        [package.metadata]
-        requires-dist = [{ name = "uv-public-pypackage", git = "https://github.com/astral-test/uv-public-pypackage?rev=0dacfd662c64cb4ceb16e6cf65a157a8b715b979#0dacfd662c64cb4ceb16e6cf65a157a8b715b979" }]
-
-        [[package]]
-        name = "uv-public-pypackage"
-        version = "0.1.0"
-        source = { git = "https://github.com/astral-test/uv-public-pypackage?rev=0dacfd662c64cb4ceb16e6cf65a157a8b715b979#0dacfd662c64cb4ceb16e6cf65a157a8b715b979" }
-        "###
-        );
-    });
-
-    // Rewrite the lockfile, as if it were locked against `main`.
-    let lock = lock.replace("rev=0dacfd662c64cb4ceb16e6cf65a157a8b715b979", "rev=main");
-    insta::with_settings!({
-        filters => context.filters(),
-    }, {
-        assert_snapshot!(
-            lock, @r###"
-        version = 1
-        requires-python = ">=3.12"
-
-        [options]
-        exclude-newer = "2024-03-25 00:00:00 UTC"
-
-        [[package]]
-        name = "project"
-        version = "0.1.0"
-        source = { editable = "." }
-        dependencies = [
-            { name = "uv-public-pypackage" },
-        ]
-
-        [package.metadata]
-        requires-dist = [{ name = "uv-public-pypackage", git = "https://github.com/astral-test/uv-public-pypackage?rev=main#0dacfd662c64cb4ceb16e6cf65a157a8b715b979" }]
-
-        [[package]]
-        name = "uv-public-pypackage"
-        version = "0.1.0"
-        source = { git = "https://github.com/astral-test/uv-public-pypackage?rev=main#0dacfd662c64cb4ceb16e6cf65a157a8b715b979" }
-        "###
-        );
-    });
-
-    fs_err::write(context.temp_dir.join("uv.lock"), lock)?;
-
    // Lock against `main`.
    let pyproject_toml = context.temp_dir.child("pyproject.toml");
    pyproject_toml.write_str(
@ -2617,26 +2530,10 @@ fn lock_git_sha() -> Result<()> {
        "#,
    )?;

-    // Note that we do not use `deterministic!` here because the results depend on the existing lockfile.
-    uv_snapshot!(context.filters(), context.lock(), @r###"
-    success: true
-    exit_code: 0
-    ----- stdout -----
-
-    ----- stderr -----
-    warning: `uv lock` is experimental and may change without warning
-    Resolved 2 packages in [TIME]
-    "###);
-
-    let lock = fs_err::read_to_string(context.temp_dir.join("uv.lock")).unwrap();
-
-    // The lockfile should resolve to `0dacfd662c64cb4ceb16e6cf65a157a8b715b979`, even though it's
-    // not the latest commit on `main`.
-    insta::with_settings!({
-        filters => context.filters(),
-    }, {
-        assert_snapshot!(
-            lock, @r###"
+    // Write the lockfile such that it's locked against `main`, but a specific commit that isn't
+    // the latest.
+    let lock = context.temp_dir.child("uv.lock");
+    lock.write_str(r#"
        version = 1
        requires-python = ">=3.12"

@ -2658,9 +2555,30 @@ fn lock_git_sha() -> Result<()> {
        name = "uv-public-pypackage"
        version = "0.1.0"
        source = { git = "https://github.com/astral-test/uv-public-pypackage?rev=main#0dacfd662c64cb4ceb16e6cf65a157a8b715b979" }
-        "###
-        );
-    });
+    "#)?;
+
+    // Lock against `main`.
+    let pyproject_toml = context.temp_dir.child("pyproject.toml");
+    pyproject_toml.write_str(
+        r#"
+        [project]
+        name = "project"
+        version = "0.1.0"
+        requires-python = ">=3.12"
+        dependencies = ["uv-public-pypackage @ git+https://github.com/astral-test/uv-public-pypackage@main"]
+        "#,
+    )?;
+
+    // The lockfile should be unchanged.
+    uv_snapshot!(context.filters(), context.lock().arg("--locked"), @r###"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+
+    ----- stderr -----
+    warning: `uv lock` is experimental and may change without warning
+    Resolved 2 packages in [TIME]
+    "###);

    // Relock with `--upgrade`.
    uv_snapshot!(context.filters(), context.lock().arg("--upgrade-package").arg("uv-public-pypackage"), @r###"