Problem
apm deps update delegates to _install_apm_dependencies(update_refs=True), which correctly re-resolves git refs to their latest commit SHAs (API call). However, when the resolved SHA matches the existing lockfile SHA, the engine still:
- Re-clones/fetches the package (unnecessary network + I/O)
- Re-integrates all primitives (unnecessary file writes)
- Re-computes content hashes (unnecessary CPU)
This happens because update_refs=True bypasses the lockfile entirely at three choke points in install.py:
- Line 1154:
if lockfile_path.exists() and not update_refs: -- skips loading lockfile
- Line 1725:
if ... and not update_refs and not ref_changed: -- skips SHA match check
- Line 1736:
(is_cacheable and not update_refs) -- skips cache hit
Expected behavior
After resolving refs (API call -- always necessary), compare the resolved SHA with the lockfile SHA. If they match, skip download and integration. Only proceed with download + integration when the SHA has actually changed.
Proposed approach
Separate "resolution" from "download" in the update_refs path:
- Load the lockfile even when
update_refs=True (but only for SHA comparison, not to skip resolution)
- After ref resolution, compare resolved SHA vs lockfile
resolved_commit
- If match: skip download, mark as cached, skip integration (or make integration content-aware)
- If different: download, integrate, update lockfile as today
This would also benefit apm install when re-running on an already-installed project.
Impact
For projects with many dependencies that are already at their latest refs, apm deps update currently re-downloads and re-integrates everything. With this optimization, it would only make lightweight API calls to verify SHAs, making the common case (nothing changed) near-instant.
Context
Discovered during E2E testing of PR #493. The update command works correctly -- this is purely a performance optimization.
Problem
apm deps updatedelegates to_install_apm_dependencies(update_refs=True), which correctly re-resolves git refs to their latest commit SHAs (API call). However, when the resolved SHA matches the existing lockfile SHA, the engine still:This happens because
update_refs=Truebypasses the lockfile entirely at three choke points ininstall.py:if lockfile_path.exists() and not update_refs:-- skips loading lockfileif ... and not update_refs and not ref_changed:-- skips SHA match check(is_cacheable and not update_refs)-- skips cache hitExpected behavior
After resolving refs (API call -- always necessary), compare the resolved SHA with the lockfile SHA. If they match, skip download and integration. Only proceed with download + integration when the SHA has actually changed.
Proposed approach
Separate "resolution" from "download" in the
update_refspath:update_refs=True(but only for SHA comparison, not to skip resolution)resolved_commitThis would also benefit
apm installwhen re-running on an already-installed project.Impact
For projects with many dependencies that are already at their latest refs,
apm deps updatecurrently re-downloads and re-integrates everything. With this optimization, it would only make lightweight API calls to verify SHAs, making the common case (nothing changed) near-instant.Context
Discovered during E2E testing of PR #493. The update command works correctly -- this is purely a performance optimization.