Dependency with Private Repo and dependency_overrides doesn't run "dart pub outdated"

[Tox46]

Environment

I've reproduced the bug on Mac and on linux (Debian), but i've not tried yet on Windows

Debian

• Dart version: Dart SDK version: 3.6.0 (stable) (Thu Dec 5 07:46:24 2024 -0800) on "linux_x64"
• OS kind and version: Debian GNU/Linux 12 (bookworm) x86_64
• Are you using the Chinese community mirror or a corporate firewall? no

Mac

• Dart version: Dart SDK version: 3.6.1 (stable) (Tue Jan 7 09:50:00 2025 -0800) on "macos_arm64"
• OS kind and version: MacOS Sonoma 14.6.1
• Are you using the Chinese community mirror or a corporate firewall? no

Problem

dependencies:
  my_private_package:
    git:
      url: git@github.com:MyName/MyPrivateRepo.git
      ref: main

dependency_overrides:
  my_private_package:
    path: ../my_private_package

This is a trimmed version of my pubspec.yaml. It is written in such way that a sister folder always contains the package we refer to, or the environment we run in always has every entitlement to download the package from my private repo.

When running dart pub outdated the terminal always gives the same error, whether adding --dependency-overrides or --no-dependency-overrides. Here's one example of the output i get:

roberto@debian:~/$ dart pub outdated --dependency-overrides
Git error. Command: `git clone --mirror git@github.com:MyName/MyPrivateRepo.git /home/roberto/.pub-cache/_temp/dirKJZDSE`
stdout: 
stderr: Cloning into bare repository '/home/roberto/.pub-cache/_temp/dirKJZDSE'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

exit code: 128
roberto@debian:~/$ dart pub outdated --no-dependency-overrides
Git error. Command: `git clone --mirror git@github.com:MyName/MyPrivateRepo.git /home/roberto/.pub-cache/_temp/dirVMXQWK`
stdout: 
stderr: Cloning into bare repository '/home/roberto/.pub-cache/_temp/dirVMXQWK'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

exit code: 128

Expected behavior

I expect at least one of these two commands to work, but both ignore the dependency_overrides

[sigurdm]

Yeah - this doesn't look right. I will try to investigate.

[sigurdm]

Ah now I understand!

pub outdated is trying to find the version for the latest column - and that never takes the override into account - which usually makes good sense. But here it should probably fall back to not showing a latest at all.

Maybe the latest column should only ever be filled for hosted (or version-tagged git dependencies)?
And maybe that logic expands to all the columns - they should perhaps not be shown at all for path and git dependencies.

@jonasfj do you have an opinion here?

[jonasfj]

I'm not sure, you can do pub upgrade on a git-dependency, right?

A workaround here, if my_private_package and root application is in the same repository is to use workspaces.

---

I think it might be okay for dart pub outdated --dependency-overrides to enforce dependency_overrides and not attempt to find out what the latest version of an overwritten dependency is. Because, well we're told to respect dependency-overrides.

I guess the question here is what does pub upgrade do? It won't attempt to upgrade a dependency_override I'm assuming?