Is this your first time submitting a feature request?

• I have read the expectations for open source contributors
• I have searched the existing issues, and I could not find an existing issue for this feature
• I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

Currently, when dbt detects that packages.yml has changed (via SHA1 hash comparison), it silently regenerates the package-lock.yml file during dbt deps. This can lead to confusion for users who may not realize their lockfile has been updated.

This can happen when some underlying unintended or unknown functionality is causing the lockfile to regenerate, for example:

• [Bug] package-lock.yml changes sha1-hash value after running dbt deps post package installation #10913
• package-lock.yml changes in 1.10.0 are not backwards compatible #11661

Proposed solution: Add a warning message when dbt regenerates the lockfile due to changes in packages.yml, similar to how other package managers (npm, yarn, etc.) notify users when lockfiles are updated.

The warning would appear as:

Package lockfile is out of sync with packages.yml. Regenerating lockfile at: /path/to/package-lock.yml

This warning would only appear when:

• A package-lock.yml exists
• The --upgrade flag is NOT used (since that explicitly requests lockfile regeneration)
• The SHA1 hash comparison shows packages.yml has been modified since the lockfile was last generated

Describe alternatives you've considered

Are you interested in contributing this feature?

Yes, I am interested in contributing this feature. The implementation would involve:

1. Adding a new warning event type (DepsLockfileRegenerating) in types.py
2. Importing and using this event in deps.py
3. Adding the warning trigger in the DepsTask.run() method when package changes are detected
4. Adding appropriate tests to ensure the warning appears in the correct scenarios

The changes would be minimal and focused, adding visibility without altering the core functionality of package management.

This issue relates to improving user experience and transparency in dbt's package management system.

Describe alternatives you've considered

1. No action: Keep the current silent behavior

   • Pros: No additional output, maintains current UX
   • Cons: Users remain unaware of automatic lockfile changes

2. Only show message with verbose flag

   • Pros: Reduces noise for users who don't want it
   • Cons: Most users who need this information wouldn't know to use verbose mode

3. Add a flag to disable the warning

   • Pros: Gives users control
   • Cons: Adds complexity; warnings should generally be seen

Who will this benefit?

• Development teams: Better awareness of when dependencies change, improving collaboration and reducing "it works on my machine" scenarios
• New dbt users: Educational value in understanding how dbt's package management works

This change aligns with best practices from other package managers (npm, yarn, pip-tools, etc.) that provide clear feedback when lockfiles are regenerated.

Are you interested in contributing this feature?

Yes

Anything else?

No response