SPM needs a way to ignore or reset its recorded commit for a package

error: Revision e0cfeeeb0c951329c4eabf65ea967384b16dd695 for actionbuilderplugin remoteSourceControl https://github.com/elegantchaos/ActionBuilderPlugin.git version 1.0.3 does not match previously recorded value 5012c06ecaa241ecc171da7320ec1b2fd886e181

This sort of error can occur for legitimate reasons, for example during development, if a tag has been mistakenly attached to the wrong commit and later corrected and force-pushed.

Currently the way to resolve this seems to be to remove the Package.resolved file and delete the ~/.swiftpm directory.

We could do with a simple way to tell SPM "it's ok, I know what I'm doing and you can ignore it" in these cases.

Some alternatives:

  • a flag like --disable-security-checks which applies to any other command which causes package resolution to run
  • some new command like swift package purge-security-cache
  • an enhancement to swift package purge-cache to also include these values when purging

(note that "security-checks" probably isn't the right terminology - I just plucked that out of the air)

1 Like

An update could have additional/unforeseen consequence. I didn't try resolve, and I've deleted the problem now locally so I can't test easily, but I don't think it would fix it.

This already exists:

--resolver-fingerprint-checking <resolver-fingerprint-checking>
                          (default: strict)

The other value is warn, not entirely sure why it is not shown in the help output.

That does not sound like it deletes the stale fingerprint though. Or does it? If not, that is only a “solution” if you apply it to every invocation for the rest of your device’s lifetime.

1 Like

That's right, it is similar to the proposed --disable-security-checks, I guess, not the other alternatives.

So perhaps the proposal should be to add a third option reset to --resolver-fingerprint-checking, which would ignore previous results and instead record the current ones for future checking.