Skip to content

Improve version pinning guidance and CLI visibility #336

New issue
New issue
Closed
#340
Closed
Improve version pinning guidance and CLI visibility#336
#340
Labels
documentationImprovements or additions to documentationenhancementNew feature or request
@danielmeppiel

Description

@danielmeppiel
danielmeppiel
opened on Mar 17, 2026

Context

Community feedback highlights that APM's documentation and CLI could do more to guide users toward pinning dependency versions. The concern is that unversioned examples are shown prominently across docs and README, and the CLI provides no visibility into what ref was resolved during install.

What APM already does well

  • Lockfile with commit SHA pins: apm.lock.yaml captures exact 40-character commit SHAs for every dependency — even unversioned ones. Subsequent installs reuse locked commits.
  • Content security scanning: apm install, apm compile, and apm unpack all scan for hidden Unicode characters and exit non-zero on critical findings. No other package manager does this at install time.
  • Version support: Dependencies can be pinned with #v1.0.0 (tag), #main (branch), or #a1b2c3d (commit SHA).

This puts APM on par with npm (package-lock.json), uv (uv.lock), and ahead of pip (no lockfile by default). None of these tools mandate version pinning or warn when versions are omitted.

What needs improving

1. Documentation — show pinned examples alongside unversioned

Today, docs prominently show:

- microsoft/apm-sample-package

Should also show the pinned form:

- microsoft/apm-sample-package#v1.0.0

Files to update:

  • docs/src/content/docs/getting-started/quick-start.md
  • docs/src/content/docs/guides/dependencies.md
  • docs/src/content/docs/reference/manifest-schema.md
  • templates/hello-world/apm.yml
  • README.md

2. Tag microsoft/apm-sample-package

Create a v1.0.0 tag so docs can reference a real version. Currently the sample package has no tags or releases.

3. CLI — show resolved ref in install output

After install, show what was actually resolved:

[✓] microsoft/apm-sample-package @ a1b2c3d (main)

This gives visibility (like npm shows resolved versions) without being preachy.

4. CLI — info hint for unversioned dependencies

When deps have no explicit ref, show a one-time info line:

Tip: Pin with #tag or #sha for reproducible installs
  • Blue info color, not yellow warning — guidance, not a problem
  • Once per install run, not per package

Design principles

  • ❌ Don't mandate version pins (npm/pip/uv don't)
  • ❌ Don't block unversioned installs (breaks DX, hostile to exploration)
  • ❌ Don't pretend all deps have versions — most APM packages don't yet
  • ✅ Guide through examples and visibility, not enforcement

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions