From 3ad1cb36458629e11cf593a329bf42da05fc4487 Mon Sep 17 00:00:00 2001
From: Daniel Chao <dan.chao@apple.com>
Date: Fri, 15 May 2026 11:48:57 -0700
Subject: [PATCH] Ensure local dependency matches PklProject.dep.json version
 (#1594)

The version of local project dependencies should _always_ exactly match
up with what's declared in a PklProject.deps.json; any package in the
transitive dependency tree should always be delcaring the same import
too.

Closes #1591
---
 .../pkl/core/module/ProjectDependenciesManager.java  | 12 +++++++++++-
 .../resources/org/pkl/core/errorMessages.properties  |  8 ++++++++
 .../input/projects/badProjectDeps7/PklProject        |  7 +++++++
 .../projects/badProjectDeps7/PklProject.deps.json    | 10 ++++++++++
 .../input/projects/badProjectDeps7/bug.pkl           |  3 +++
 .../input/projects/project1/PklProject.deps.json     |  4 ++--
 .../input/projects/project3/PklProject.deps.json     |  4 ++--
 .../input/projects/project6/PklProject               |  4 ++--
 .../output/projects/badProjectDeps7/bug.err          | 11 +++++++++++
 9 files changed, 56 insertions(+), 7 deletions(-)
 create mode 100644 pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject
 create mode 100644 pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject.deps.json
 create mode 100644 pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/bug.pkl
 create mode 100644 pkl-core/src/test/files/LanguageSnippetTests/output/projects/badProjectDeps7/bug.err

diff --git a/pkl-core/src/main/java/org/pkl/core/module/ProjectDependenciesManager.java b/pkl-core/src/main/java/org/pkl/core/module/ProjectDependenciesManager.java
index 1194f938..bf582738 100644
--- a/pkl-core/src/main/java/org/pkl/core/module/ProjectDependenciesManager.java
+++ b/pkl-core/src/main/java/org/pkl/core/module/ProjectDependenciesManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Apple Inc. and the Pkl project authors. All rights reserved.
+ * Copyright © 2024-2026 Apple Inc. and the Pkl project authors. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import org.pkl.core.PklBugException;
 import org.pkl.core.SecurityManager;
 import org.pkl.core.SecurityManagerException;
 import org.pkl.core.packages.Dependency;
+import org.pkl.core.packages.Dependency.LocalDependency;
 import org.pkl.core.packages.DependencyMetadata;
 import org.pkl.core.packages.PackageLoadError;
 import org.pkl.core.packages.PackageUri;
@@ -111,6 +112,15 @@ public final class ProjectDependenciesManager {
 
   private void checkProjectDependencyOutOfDate(
       URI projectFileUri, PackageUri declaredPackage, Dependency resolvedDependency) {
+    // local dependencies must match up exactly (they are expected to always stay in sync).
+    if (resolvedDependency instanceof LocalDependency localDependency
+        && !declaredPackage.getVersion().equals(localDependency.getVersion())) {
+      throw new PackageLoadError(
+          "projectDependenciesLocalDependencyOutOfSync",
+          projectFileUri,
+          declaredPackage.getDisplayName(),
+          resolvedDependency.getPackageUri().getDisplayName());
+    }
     if (resolvedDependency.getVersion().compareTo(declaredPackage.getVersion()) < 0) {
       throw new PackageLoadError(
           "projectDependenciesOutOfDateInProject",
diff --git a/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties b/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties
index f66d2f85..6bcd3aa1 100644
--- a/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties
+++ b/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties
@@ -888,6 +888,14 @@ Resolved: `{2}`\n\
 \n\
 Run `pkl project resolve` to update resolved dependencies.
 
+projectDependenciesLocalDependencyOutOfSync=\
+Project `{0}` declares a dependency on a local package whose version doesn''t match what is declared in `PklProject.deps.json`.\n\
+\n\
+Declared: `{1}`\n\
+Resolved: `{2}`\n\
+\n\
+Run `pkl project resolve` to update resolved dependencies.
+
 invalidPackageZipChecksum=\
 Cannot download package `{0}` because the computed checksum does not match the expected checksum.\n\
 \n\
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject
new file mode 100644
index 00000000..9eeed592
--- /dev/null
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject
@@ -0,0 +1,7 @@
+amends "pkl:Project"
+
+dependencies {
+  // version declared in PklProject.deps.json does not line up with what this local dependency
+  // tells us its version is
+  ["project6"] = import("../project6/PklProject")
+}
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject.deps.json b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject.deps.json
new file mode 100644
index 00000000..5bb47c08
--- /dev/null
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/PklProject.deps.json
@@ -0,0 +1,10 @@
+{
+  "schemaVersion": 1,
+  "resolvedDependencies": {
+    "package://localhost:0/project6@1": {
+      "type": "local",
+      "uri": "projectpackage://localhost:0/project6@1.5.0",
+      "path": "../project6/"
+    }
+  }
+}
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/bug.pkl b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/bug.pkl
new file mode 100644
index 00000000..cd613f4c
--- /dev/null
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/badProjectDeps7/bug.pkl
@@ -0,0 +1,3 @@
+import "@project6/children.pkl"
+
+res = children
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project1/PklProject.deps.json b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project1/PklProject.deps.json
index 55d204bf..803186a5 100644
--- a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project1/PklProject.deps.json
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project1/PklProject.deps.json
@@ -20,9 +20,9 @@
       "uri": "projectpackage://localhost:0/project2@1.0.0",
       "path": "../project2/"
     },
-    "package://localhost:12110/project6@1": {
+    "package://localhost:0/project6@1": {
       "type": "local",
-      "uri": "projectpackage://localhost:12110/project6@1.0.0",
+      "uri": "projectpackage://localhost:0/project6@1.0.0",
       "path": "../project6/"
     },
     "package://localhost:0/badImportsWithinPackage@1": {
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project3/PklProject.deps.json b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project3/PklProject.deps.json
index 55d204bf..803186a5 100644
--- a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project3/PklProject.deps.json
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project3/PklProject.deps.json
@@ -20,9 +20,9 @@
       "uri": "projectpackage://localhost:0/project2@1.0.0",
       "path": "../project2/"
     },
-    "package://localhost:12110/project6@1": {
+    "package://localhost:0/project6@1": {
       "type": "local",
-      "uri": "projectpackage://localhost:12110/project6@1.0.0",
+      "uri": "projectpackage://localhost:0/project6@1.0.0",
       "path": "../project6/"
     },
     "package://localhost:0/badImportsWithinPackage@1": {
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project6/PklProject b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project6/PklProject
index a574a7a7..5fd11efa 100644
--- a/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project6/PklProject
+++ b/pkl-core/src/test/files/LanguageSnippetTests/input/projects/project6/PklProject
@@ -2,7 +2,7 @@ amends "pkl:Project"
 
 package {
   name = "project6"
-  baseUri = "package://localhost:12110/project6"
+  baseUri = "package://localhost:0/project6"
   version = "1.0.0"
-  packageZipUrl = "https://localhost:12110/project6/project6-\(version).zip"
+  packageZipUrl = "https://localhost:0/project6/project6-\(version).zip"
 }
diff --git a/pkl-core/src/test/files/LanguageSnippetTests/output/projects/badProjectDeps7/bug.err b/pkl-core/src/test/files/LanguageSnippetTests/output/projects/badProjectDeps7/bug.err
new file mode 100644
index 00000000..ec840a99
--- /dev/null
+++ b/pkl-core/src/test/files/LanguageSnippetTests/output/projects/badProjectDeps7/bug.err
@@ -0,0 +1,11 @@
+–– Pkl Error ––
+Project `file:///$snippetsDir/input/projects/badProjectDeps7/PklProject` declares a dependency on a local package whose version doesn't match what is declared in `PklProject.deps.json`.
+
+Declared: `package://localhost:0/project6@1.0.0`
+Resolved: `package://localhost:0/project6@1.5.0`
+
+Run `pkl project resolve` to update resolved dependencies.
+
+x | import "@project6/children.pkl"
+           ^^^^^^^^^^^^^^^^^^^^^^^^
+at bug (file:///$snippetsDir/input/projects/badProjectDeps7/bug.pkl)