Stop pinning dependencies

[spydon]

Use case

One of the biggest pain points for package authors (and probably app developers too) that have been brought up during the Dart & Flutter Package Ecosystem Summits is that Flutter has pinned versions of its dependencies.

Why do we not want pinned dependencies? Because it leads to a lot trickier dependency version resolution than it needs to be for the end user. I would say almost all Flutter developers have at some point ended up in dependency resolution hell, before they realize that some dependencies needs to be treated with special care.

Since all of the pinned dependencies are controlled by Google it should be fairly straight forward to set up a process so that they all have some tests towards Flutter before doing a new non-breaking release or doing deprecations.
The main ones are: intl, meta, collection path, vector_math and async.

The Flutter team’s rationale for using pinned versions is outlined in this document but I have been told that removing the dependency pinning is on the radar, so I just want to open this so that we can track it somewhere.

Proposal

Things that needs to be solved:

• Flutter builds should be hermetic.
• When dependencies bump their versions they should not be able to break Flutter.

For the first one I'm thinking that it could be solved with a lock file that isn't shipped with Flutter, but used for the builds.

For the second one my suggestion is that we introduce CI checks that needs to run before releasing a new version of the dependencies to make sure that they don't break anything in Flutter. Deprecations have to be taken into consideration here too, since they are not counted as breaking in semver.

[jakemac53]

I am not sure if it has been proposed in a GitHub issue, but there is an additional layer to this which I think would give us the best of both worlds.

The idea is to create a new package, flutter_pinned_deps or similar. It ships with the SDK (so it is an sdk: flutter dependency), and it has the versions of the deps from the lockfile, but pinned in the style that flutter pins deps today.

Then, if you want to have a more stable build, with versions of deps that have been tested with your flutter SDK, all you do is depend on that package. If you want to loosen the constraints and accept some amount of breakage risk, you don't depend on it. This allows the user to choose which mode they want to live in, and the maintenance burden should be low (the package could be easily automated).

In practice you might want a few of these, flutter_test_pinned_deps etc. But, if they are fully automated that is probably fine.

Alternative implementation

We could also flip this around a little bit, if the flutter repo migrated to use the "workspaces" feature from pub. Then, we would manually curate these packages and their pinned versions - and this would transitively enforce the versions in the other packages in the workspace.

You don't have to check in the pubspec.lock files in this case - these packages would be doing the version enforcement.

The workflow for upgrading packages would then just be changing the pinned versions in these packages, which would allow bumping them individually, which isn't something even the current workflow really allows.

[spydon]

We could also flip this around a little bit, if the flutter repo migrated to use the "workspaces" feature from pub. Then, we would manually curate these packages and their pinned versions - and this would transitively enforce the versions in the other packages in the workspace.

That sounds like a great idea! Then it should be very easy to properly check that a change is not breaking anything in Flutter too.

[stuartmorgan-g]

I'm not sure if there's an issue tracking it, but the other approach that's been floated for this in vendoring all of our dependencies. That doesn't work for anything we want to use in public APIs though.

[jakemac53]

Many of the pinned deps come from flutter_test which depends on (and re-exports) test_api, which also definitely leaks various things from its own public APIs. So, I don't think vendoring is really an option for flutter_test at least.