Management of transitive dependencies

Is there a way how to lock versions of transitive dependencies when using Tuist’s dependency management system? Our CI broke when a minor version of a transitive dependency was released with a breaking change to a public API which we used (transitively).
Discussion in TCA’s Slack Slack

Hey @MartinStrambach,

Tuist resolves dependencies through SPM creating a Package.resolved file that should take the role of locking the dependencies. The file should be generated under .build/Package.resolved either at the root or under the Tuist/ directory. Is yours being created and included in the Git repository? If it is, I wonder if we might be misusing SPM under the hood or if there’s a bug in SPM that causes the lockfile from being ignored.

@pepicrft Thanks for explanation. For some reason, our Package.resolved was in gitignore.
Is there a way how to force Tuist to update to the latest dependencies or is it default behaviour?

When you integrate plugins through Xcode’s integration, Tuist resolves the dependencies through SPM whenever you do tuist generate (i.e., it runs swift package resolve). Then Xcode takes over, which can also update the Package.resolved file, for example, when a developer decides to update a dependency. Those changes should be persisted to the Package.resolved, which should be part of your Git repository if you want consistent versions across environments.