#Question about the lack of manifest.toml on hex packages

1 messages · Page 1 of 1 (latest)

sick crown Aug 7, 2025, 3:48 AM

from https://gleam.run/writing-gleam/:
There is now also a manifest.toml file which locks all the dependency packages to specific versions. It’s recommended to check this file into your version control system to ensure that anyone who downloads and runs your project will get the same versions of the dependencies. This manifest file isn’t uploaded to Hex so it is not used when other projects depend on your project.

doesn't the lack of manifest.toml on the hex package causes the problem of users potentially running different code than what the creator gets when testing it?

meager sonnet Aug 7, 2025, 3:59 AM

Just like package lock in NPM, it's only for people working on your project directly, not for downstream consumers. So when someone else installs your package as a dep, it will only consider the dep ranges you have in gleam.toml. Otherwise package authors would need to constantly bump versions or no one could get their transitive packages updated

That said the manifest is more useful for apps that are developed by multiple people rather than packages