Skip to content

fix: include lock files in dependency hash for cache invalidation#8818

Open
dcabib wants to merge 1 commit intoaws:developfrom
dcabib:fix/issue-8242-include-lockfiles-in-cache-hash
Open

fix: include lock files in dependency hash for cache invalidation#8818
dcabib wants to merge 1 commit intoaws:developfrom
dcabib:fix/issue-8242-include-lockfiles-in-cache-hash

Conversation

@dcabib
Copy link
Contributor

@dcabib dcabib commented Mar 17, 2026

Summary

Fixes #8242

When using sam build --cached, changes to lock files (package-lock.json, Gemfile.lock, etc.) were not triggering cache invalidation. This caused the build to skip dependency installation even when lock files specified different dependency versions, leaving functions with outdated or vulnerable dependencies.

Changes

Added a mapping of dependency managers to their lock file names in DependencyHashGenerator. When a lock file exists, the cache hash now includes both the manifest and lock file, ensuring proper cache invalidation when lock files change.

Supported lock files:

  • npm: package-lock.json
  • npm-esbuild: package-lock.json
  • bundler: Gemfile.lock
  • gradle: gradle.lockfile
  • cli-package (dotnet): packages.lock.json
  • modules (go): go.sum
  • cargo (rust): Cargo.lock
  • uv (python): uv.lock
  • poetry (python): poetry.lock

Implementation Details

The fix follows the approach suggested by @seshubaws to add a small mapping in DependencyHashGenerator rather than modifying the CONFIG namedtuple, keeping the change isolated and minimizing impact.

The implementation:

  • Checks if the dependency manager has a corresponding lock file
  • If the lock file exists, combines both manifest and lock file hashes
  • Returns a single combined hash for cache validation
  • Is backward compatible - lock files are optional

Testing

  • Manual testing with Node.js project confirmed cache invalidation works when package-lock.json changes
  • Existing unit tests pass (4/4)
  • Cache still works correctly when no changes are made

Test plan

  • Run existing unit tests: pytest tests/unit/lib/build_module/test_dependency_hash_generator.py
  • Test with Node.js project: modify package-lock.json and verify sam build --cached invalidates cache
  • Test with Ruby project: modify Gemfile.lock and verify cache invalidation
  • Verify cache still works when no changes are made

@dcabib @claude
fix: include lock files in dependency hash for cache invalidation
df95413 
Resolves aws#8242

When using `sam build --cached`, changes to lock files (package-lock.json,
Gemfile.lock, etc.) were not triggering cache invalidation, causing the
build to skip dependency installation even when lock files specified
different versions. This left functions with outdated or vulnerable
dependencies.

This fix adds a mapping of dependency managers to their lock file names
in DependencyHashGenerator. When a lock file exists, the cache hash now
includes both the manifest and lock file, ensuring proper cache
invalidation when lock files change.

Supported lock files:
- npm: package-lock.json
- npm-esbuild: package-lock.json
- bundler: Gemfile.lock
- gradle: gradle.lockfile
- cli-package (dotnet): packages.lock.json
- modules (go): go.sum
- cargo (rust): Cargo.lock
- uv (python): uv.lock
- poetry (python): poetry.lock

The implementation is backward compatible - lock files are optional and
the behavior remains unchanged for projects without lock files.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@dcabib dcabib requested a review from a team as a code owner March 17, 2026 13:04
@dcabib dcabib mentioned this pull request Mar 17, 2026
Open
@github-actions github-actions bot added area/build sam build command pr/external stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. labels Mar 17, 2026
seshubaws
seshubaws reviewed Mar 17, 2026
View reviewed changes
samcli/lib/build/dependency_hash_generator.py
# Mapping of dependency managers to their lock file names
LOCK_FILE_MAPPING = {
"npm": "package-lock.json",
"npm-esbuild": "package-lock.json",
Copy link
Contributor

@seshubaws seshubaws Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we not need to add yarn.lock and pnpm-lock.yaml?

seshubaws
seshubaws reviewed Mar 17, 2026
View reviewed changes
samcli/lib/build/dependency_hash_generator.py
"""
if self._manifest_path_override:
manifest_file = self._manifest_path_override
config = None
Copy link
Contributor

@seshubaws seshubaws Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we not wanting to add the config to the hash if there is a different manifest path? Can the lock file not still be resolved relative to the override path's directory?

@seshubaws
Copy link
Contributor

seshubaws commented Mar 17, 2026

Could you add tests for if there is a lock file present and not present, and if there is an unknown dep manager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seshubaws seshubaws seshubaws left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area/build sam build command pr/external stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: sam build --cached doesn't NpmInstall when package-lock.json changes

2 participants

@dcabib @seshubaws