Prevent upgrades to prerelease when constrained to stable versions

Author: chika3742

lib/src/solver/package_lister.dart

@@ -162,10 +162,16 @@ class PackageLister {
   /// Returns the best version of this package that matches [constraint]
   /// according to the solver's prioritization scheme, or `null` if no versions
   /// match.
+  /// If [allowPrereleases] is false, this will only consider non-prerelease
+  /// versions unless there are no non-prerelease versions that match
+  /// [constraint].
   ///
   /// Throws a [PackageNotFoundException] if this lister's package doesn't
   /// exist.
-  Future<PackageId?> bestVersion(VersionConstraint constraint) async {
+  Future<PackageId?> bestVersion(
+    VersionConstraint constraint, {
+    bool allowPrereleases = true,
+  }) async {
     final locked = _locked;
     if (locked != null && constraint.allows(locked.version)) return locked;
 
@@ -192,13 +198,14 @@ class PackageLister {
       if (isPastLimit(id.version)) break;
 
       if (!constraint.allows(id.version)) continue;
+      if (!allowPrereleases && id.version.isPreRelease) continue;
       if (!id.version.isPreRelease) {
         return id;
       }
       bestPrerelease ??= id;
     }
 
-    return bestPrerelease;
+    return allowPrereleases ? bestPrerelease : null;
   }
 
   /// Returns incompatibilities that encapsulate [id]'s dependencies, or that

lib/src/solver/version_solver.dart

@@ -396,9 +396,26 @@ class VersionSolver {
       return null; // when unsatisfied.isEmpty
     }
 
+    bool isDirectAndStable(String packageName) {
+      final dep = _root.pubspec.dependencies[packageName];
+      if (dep == null) return false; // not a direct dependency
+      final constraint = dep.constraint;
+      if (constraint is Version) {
+        return !constraint.isPreRelease;
+      }
+      if (constraint is VersionRange && constraint.min != null) {
+        return !constraint.min!.isPreRelease;
+      }
+      return false;
+    }
+
     PackageId? version;
     try {
-      version = await _packageLister(package).bestVersion(package.constraint);
+      // Prereleases are allowed only if not direct or not stable.
+      final allowPrereleases = !isDirectAndStable(package.name);
+      version = await _packageLister(
+        package,
+      ).bestVersion(package.constraint, allowPrereleases: allowPrereleases);
     } on PackageNotFoundException catch (error) {
       _addIncompatibility(
         Incompatibility([

test/dependency_services/dependency_services_test.dart

@@ -661,6 +661,33 @@ Future<void> main() async {
       environment: {'_PUB_TEST_SDK_VERSION': '3.5.0'},
     );
   });
+
+  testWithGolden('updates suppressed by prerelease dependency', (
+    context,
+  ) async {
+    final server = await servePackages();
+    server.serve('foo', '1.0.0', deps: {'baz': '^1.0.0'});
+    server.serve('foo', '2.0.0-dev.0', deps: {'baz': '^2.0.0'});
+    server.serve('bar', '1.0.0', deps: {'baz': '^1.0.0'});
+    server.serve('bar', '2.0.0', deps: {'baz': '^2.0.0'});
+    server.serve('baz', '1.0.0');
+    server.serve('baz', '2.0.0');
+
+    await d.appDir(dependencies: {'foo': '1.0.0', 'bar': '1.0.0'}).create();
+    await pubGet();
+
+    await _reportWithForbidden(
+      context,
+      {},
+      targetPackage: 'riverpod_lint',
+      resultAssertions: (report) {
+        expect(
+          dig<List>(report, ['dependencies', ('name', 'foo'), 'multiBreaking']),
+          isEmpty,
+        );
+      },
+    );
+  });
 }
 
 String? findChangeVersion(dynamic json, String updateType, String name) {

test/testdata/goldens/dependency_services/dependency_services_test/updates suppressed by prerelease dependency.txt

@@ -0,0 +1,131 @@
+# GENERATED BY: test/dependency_services/dependency_services_test.dart
+
+$ cat pubspec.yaml
+{"name":"myapp","dependencies":{"foo":"1.0.0","bar":"1.0.0"},"environment":{"sdk":"^3.0.2"}}
+$ cat pubspec.lock
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  bar:
+    dependency: "direct main"
+    description:
+      name: bar
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+  baz:
+    dependency: transitive
+    description:
+      name: baz
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+  foo:
+    dependency: "direct main"
+    description:
+      name: foo
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+sdks:
+  dart: ">=3.0.2 <4.0.0"
+-------------------------------- END OF OUTPUT ---------------------------------
+
+## Section report
+$ echo '{"target":"riverpod_lint","disallowed":[]}' | dependency_services report
+{
+  "dependencies": [
+    {
+      "name": "bar",
+      "version": "1.0.0",
+      "kind": "direct",
+      "source": {
+        "type": "hosted",
+        "description": {
+          "name": "bar",
+          "url": "http://localhost:$PORT",
+          "sha256": "e46cfed05052e950f7ded2b9f1a368b5f3705e1aa79b0ee22e041d62d88156eb"
+        }
+      },
+      "latest": "2.0.0",
+      "constraint": "1.0.0",
+      "compatible": [],
+      "singleBreaking": [],
+      "multiBreaking": []
+    },
+    {
+      "name": "baz",
+      "version": "1.0.0",
+      "kind": "transitive",
+      "source": {
+        "type": "hosted",
+        "description": {
+          "name": "baz",
+          "url": "http://localhost:$PORT",
+          "sha256": "a7efc9c78968fdb7a7eed37efa3d53caf8b0eef7921b512f581966733cc9fc46"
+        }
+      },
+      "latest": "2.0.0",
+      "constraint": null,
+      "compatible": [],
+      "singleBreaking": [],
+      "multiBreaking": []
+    },
+    {
+      "name": "foo",
+      "version": "1.0.0",
+      "kind": "direct",
+      "source": {
+        "type": "hosted",
+        "description": {
+          "name": "foo",
+          "url": "http://localhost:$PORT",
+          "sha256": "48a4851d3cf26e9152a94d346221669b294a26b4aa5d93290b7b3e63ce41eb3c"
+        }
+      },
+      "latest": "1.0.0",
+      "constraint": "1.0.0",
+      "compatible": [],
+      "singleBreaking": [],
+      "multiBreaking": []
+    }
+  ]
+}
+
+-------------------------------- END OF OUTPUT ---------------------------------
+
+$ cat pubspec.yaml
+{"name":"myapp","dependencies":{"foo":"1.0.0","bar":"1.0.0"},"environment":{"sdk":"^3.0.2"}}
+$ cat pubspec.lock
+# Generated by pub
+# See https://dart.dev/tools/pub/glossary#lockfile
+packages:
+  bar:
+    dependency: "direct main"
+    description:
+      name: bar
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+  baz:
+    dependency: transitive
+    description:
+      name: baz
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+  foo:
+    dependency: "direct main"
+    description:
+      name: foo
+      sha256: $SHA256
+      url: "http://localhost:$PORT"
+    source: hosted
+    version: "1.0.0"
+sdks:
+  dart: ">=3.0.2 <4.0.0"