You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: auto-create mops.lock on first install (#457)
## Summary
- `mops.lock` is now created automatically on the first run of any
dependency command — no manual opt-in required
- On first creation, a one-time hint is printed recommending that
**applications** commit the file and **library authors** add it to
`.gitignore` (same convention as Cargo)
- Subsequent runs are idempotent — the hint does not repeat and no
unnecessary writes occur
## Motivation
Previously users had to run `mops i --lock update` once to bootstrap the
lock file. This is inconsistent with every major package manager (npm,
yarn, pnpm, Cargo, Bundler, Poetry) and meant most projects silently
missed the reproducibility and integrity benefits of `mops.lock`.
## Changes
- **`cli/integrity.ts`**: Collapse two-branch guard in `checkIntegrity`
to a single ternary — non-CI now always defaults to `"update"`; add
first-creation message in `updateLockFile`
- **`cli/tests/cli.test.ts`**: Integration tests for auto-creation,
idempotency, and `--lock ignore` opt-out; unset `CI` env to simulate
local behavior
- **`cli/tests/helpers.ts`**: Add `env` override field to `CliOptions`
to allow unsetting env vars in tests
- **`cli/tests/install/success/mops.toml`**: Dedicated fixture — avoids
race condition with `build.test.ts` which uses `build/success` in
parallel
- **`docs/docs/10-mops.lock.md`**: Rewrote — removed "disabled by
default" notice, added Libraries vs Applications guidance (Cargo-style),
added CI section, fixed "Opting out" to list only commands that accept
`--lock`
- **`cli/CHANGELOG.md`**: Entry under `## Next`
## Behavior preserved
- `--lock ignore` still fully bypasses creation on any command
- CI (`CI=1`) still defaults to `"check"` and silently skips if no lock
file exists
- All internal `silent: true` / `lock: "ignore"` call sites are
unaffected
## How to test
```bash
# First install creates the lock file
rm -f mops.lock && mops install
# Prints: "mops.lock created. Applications: commit this file. Libraries: add mops.lock to .gitignore."
# Second install is silent — no duplicate hint
mops install
# Opt-out works
rm -f mops.lock && mops install --lock ignore
# mops.lock does NOT exist
```
Copy file name to clipboardExpand all lines: cli/CHANGELOG.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,8 @@
2
2
3
3
## Next
4
4
5
+
-`mops.lock` is now created automatically the first time dependencies are installed — no need to run `mops i --lock update` once to opt in. Triggered by `mops install`, `mops add`, `mops remove`, `mops update`, `mops sync`, and `mops init` (when it installs dependencies). Applications should commit `mops.lock`; library authors should add it to `.gitignore`.
6
+
5
7
## 2.7.0
6
8
7
9
-`mops publish` no longer requires a `repository` field — it is now optional metadata (used by the registry UI for source links)
Copy file name to clipboardExpand all lines: docs/docs/10-mops.lock.md
+42-18Lines changed: 42 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,30 +5,54 @@ sidebar_label: mops.lock
5
5
6
6
# `mops.lock` file
7
7
8
-
:::info
9
-
Currently lockfile is disabled by default. You can enable it by running `mops i --lock update` once.
8
+
`mops.lock` is used to ensure integrity of dependencies, so that you can be sure that all dependencies have exactly the same source code as they had when the package author published them to the Mops Registry.
10
9
11
-
When `mops.lock` file exists, no need to specify `--lock` flag.
12
-
:::
10
+
`mops.lock` is created automatically the first time dependencies are installed, and kept up to date on every subsequent run. It is triggered by:
11
+
-`mops install`
12
+
-`mops add`
13
+
-`mops remove`
14
+
-`mops update`
15
+
-`mops sync`
16
+
-`mops init` (when it installs dependencies)
13
17
14
-
`mops.lock` is used to ensure integrity of dependencies, so that you can be sure that all dependencies have exactly the same source code as they had when the package author published them to the Mops Registry.
18
+
`mops.lock` is maintained by Mops and should not be manually edited.
19
+
20
+
## Should you commit `mops.lock`?
21
+
22
+
The answer depends on whether your project is an **application** or a **library**.
23
+
24
+
**Applications** (canisters, scripts, frontends) — commit `mops.lock`. It guarantees that every developer and CI environment installs the exact same dependency versions.
25
+
26
+
**Libraries** (packages published to the Mops registry) — add `mops.lock` to `.gitignore`. Your library will be used as a dependency inside other projects, and those projects will resolve their own dependency graph. Committing your lock file could mislead contributors into thinking the locked versions are significant.
15
27
16
-
A valid `mops.lock` speeds up `mops install` command because it avoids downloading intermediate versions of dependencies.
28
+
```bash
29
+
# .gitignore entry for library authors
30
+
mops.lock
31
+
```
17
32
18
-
_It's only faster when there are no global cached packages. For example you are running `mops install` inside a fresh Docker container. Or when you call `mops install` for the first time in a project._
33
+
This is the same convention used by [Cargo](https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries).
19
34
20
-
`mops.lock` contains the following information:
21
-
- Hash of `[dependencies]` and `[dev-dependencies]` section of `mops.toml` file
35
+
## Performance
36
+
37
+
A valid `mops.lock` speeds up `mops install` because it avoids resolving intermediate dependency versions.
38
+
39
+
_It's only faster when there are no globally cached packages — for example when running `mops install` inside a fresh Docker container or for the first time in a project._
40
+
41
+
## What `mops.lock` contains
42
+
43
+
- Hash of the `[dependencies]` and `[dev-dependencies]` sections of `mops.toml`
22
44
- All transitive dependencies with the final resolved versions
23
-
- Hash of each file of each dependency
45
+
- Hash of each file of each dependency (retrieved from the Mops registry canister)
24
46
25
-
File hashes are retrieved from the mops registry canister.
47
+
## CI environments
26
48
27
-
When `mops.lock` exists, it is updated(and checked) automatically when you run any of the following commands:
28
-
-`mops add`
29
-
-`mops remove`
30
-
-`mops install`
31
-
-`mops update`
32
-
-`mops sync`
49
+
In CI, if `mops.lock` does not exist, integrity checking is skipped and no lock file is created. To enforce the lock in CI, commit `mops.lock` to your repository before running CI.
50
+
51
+
## Opting out
52
+
53
+
To skip lock file creation and checks for a single run, pass `--lock ignore` to `mops install`, `mops add`, `mops remove`, `mops update`, or `mops sync`:
33
54
34
-
`mops.lock` maintained by Mops and should not be manually edited.
0 commit comments