Workspace mark all dependencies as transitive in pubspec.lock when they are direct dependencies one workspace

[IchordeDionysos]

Environment

Flutter 3.29.3 • channel stable • https://github.com/flutter/flutter.git
Framework • revision ea121f8859 (8 weeks ago) • 2025-04-11 19:10:07 +0000
Engine • revision cf56914b32
Tools • Dart 3.7.2 • DevTools 2.42.3

Problem

Relates to VeryGoodOpenSource/very_good_cli#1273

When setting up a mono-repo with Pub workspaces your project will look this this:

• app/
  • pubspec.yaml
• packages/
  • packageA/
    • pubspec.yaml
  • packageB/
    • pubspec.yaml
• pubspec.yaml
• pubspec.lock

In the pubspec.lock

very_good_cli expects to have a pubspec.lock file next to the pubspec.yaml file, meaning you can't run very_good_cli packages check licenses in the individual projects/packages (there is no pubspec.lock file anymore).

And you can't run very_good_cli packages check licenses in the workspace root, as it will look something like:

name: _
publish_to: none
environment:
  sdk: ^3.6.0
workspace:
  - app
  - packages/packageA
  - packages/packageB

# No direct dependencies
# dependencies:

dev_dependencies:
  build_runner: ^2.4.14
  freezed: ^2.5.7
  json_serializable: ^6.9.0

And as the dependencies are not installed in the pubspec.yaml file next to the pubspec.lock file, the output will be something like:

very_good packages check licenses
No hosted dependencies found in /Users/steve/flutter_monorepo of type: direct-main.

This is as in the pubspec.lock file for the whole workspace all dependencies are marked as transitive, even if they are added as direct dependencies in one of the projects part of the workspace:

environment:
  # Up-to-date with Dart stable releases: https://dart.dev/get-dart#release-channels.
  sdk: ">=3.6.0 <4.0.0"
  # Up-to-date with the latest Flutter version on the stable channel:
  # https://flutter.dev/docs/development/tools/sdk/releases
  flutter: ">=3.27.4"
resolution: workspace

dependencies:
  flutter:
    sdk: flutter
  flutter_localizations:
    sdk: flutter

  ### Firebase ###
  firebase_core: '>=3.0.0 <4.0.0'
  # Firestore Database
  cloud_firestore: '>=5.0.0 <6.0.0'

Expected behavior

cloud_firestore should be marked as direct_main package.

# Generated by pub
# See https://dart.dev/tools/pub/glossary#lockfile
packages:
  cloud_firestore:
    dependency: direct_main
    description:
      name: cloud_firestore
      sha256: ba89d4ae6ddaea0241f50a2dc1ffe36f32891f1a6bc78540f55d79c7f8ed536a
      url: "https://pub.dev"
    source: hosted
    version: "5.6.0"
  cloud_firestore_platform_interface:
    dependency: transitive
    description:
      name: cloud_firestore_platform_interface
      sha256: "966cfd6beb2e943f3363a7bced4476533caa55d2338ffd876855c07e5296d1d7"
      url: "https://pub.dev"
    source: hosted
    version: "6.6.0"

Actual behavior

cloud_firestore is marked as transitive package.

# Generated by pub
# See https://dart.dev/tools/pub/glossary#lockfile
packages:
  cloud_firestore:
    dependency: transitive
    description:
      name: cloud_firestore
      sha256: ba89d4ae6ddaea0241f50a2dc1ffe36f32891f1a6bc78540f55d79c7f8ed536a
      url: "https://pub.dev"
    source: hosted
    version: "5.6.0"
  cloud_firestore_platform_interface:
    dependency: transitive
    description:
      name: cloud_firestore_platform_interface
      sha256: "966cfd6beb2e943f3363a7bced4476533caa55d2338ffd876855c07e5296d1d7"
      url: "https://pub.dev"
    source: hosted
    version: "6.6.0"

--verbose output

[sigurdm]

The dependency field does not have very clear semantics in the world of pub workspaces - I guess we need to deprecate it somehow.

I think the tool should be updated to rely on the .dart_tool/package_graph.json file instead.
It lists the names of all root packages, and for each package lists its dependencies.

In this way it is relatively easy to walk the package dependency graph from a single point.