Has anyone experienced a Docker build decided to upgrade some packages by itself? My build was failing remotely (and locally when I tested) due to
plug_crypto being upgraded by the
mix deps.get command, with the following output:
I’m really confused as to what happened because my understanding is that
mix deps.get will retrieve the locked versions? The
mix.exs file was modified to use a
:path for an unrelated package, but
mix.lock was unchanged. The packages were within the permitted version constraints at all times.
The Dockerfile does the standard “dance” for efficiency reasons:
... # Copy dependency config COPY mix.* /app/ # Copy configs COPY config /app/config # install dependencies RUN mix do deps.get, deps.compile # Copy app COPY . . # build release RUN \ mkdir -p /app/build && \ mix release --overwrite --path /app/build ...
I think the failure occurred because the final
COPY . . reset
mix.lock, causing a mismatch:
#25 1.000 * plug_crypto (Hex package) #25 1.000 lock mismatch: the dependency is out of date. To fetch locked version run "mix deps.get" #25 1.000 * plug (Hex package) #25 1.000 lock mismatch: the dependency is out of date. To fetch locked version run "mix deps.get" #25 1.005 ** (Mix) Can't continue due to errors on dependencies #25 ERROR: process "/bin/sh -c mkdir -p /app/build && mix release --overwrite --path /app/build" did not complete successfully: exit code: 1
I ended up merging in the updated packages in order to fix the problem and now I can’t even reproduce it by going back to the old commits.
So I guess my question is, under what circumstances can
mix deps.get choose to “upgrade” packages? For some reason I can’t even find the string where the “Upgraded:” prompt is output in
This is on the hexpm/elixir:1.14.0-erlang-25.0.4-alpine-3.16.1 image so everything is pretty up-to-date.
Thanks for any insights!