Ballerina dependencies are resolved for the latest available than what specified in Ballerina.toml

Question

I have a Ballerina project built on Ballerina U4 (2201.4.1). The Ballerina.toml for this project as follows.

[package]
org = "anjana"
name = "test"
version = "0.1.0"
distribution = "2201.4.1"

[[dependency]]
org="wso2healthcare"
name="healthcare.fhir.r4"
version="0.1.17"

As mentioned in the above toml code, the project has a dependency for wso2healthcare/healthcare.fhir.r4:0.1.17.

This wso2healthcare/healthcare.fhir.r4 package has a latest release for version 0.1.18. Both the versions 0.1.17 and 0.1.18 are built on Ballerina U4.

Issue/Concern

The concern is, though I have specified wso2healthcare/healthcare.fhir.r4:0.1.17 in the Ballerina.toml, it has pulled the wso2healthcare/healthcare.fhir.r4:0.1.18 from Ballerina Central, as mentioned in below Dependencies.toml snippet.

[[package]]
org = "wso2healthcare"
name = "healthcare.fhir.r4"
version = "0.1.18"
dependencies = [
    {org = "ballerina", name = "constraint"},
    {org = "ballerina", name = "http"},
    {org = "ballerina", name = "jwt"},
    {org = "ballerina", name = "lang.value"},
    {org = "ballerina", name = "log"},
    {org = "ballerina", name = "regex"},
    {org = "ballerina", name = "time"},
    {org = "ballerina", name = "uuid"},
    {org = "wso2healthcare", name = "healthcare.base"}
]

This persists even the project is rebuilt deleting the Dependencies.toml as well. The behavior seems to be is that Ballerina compiler is pulling latest version of dependencies that are available for a given Ballerina distribution.

But in my case, I have specified to use an old version of the dependency purposefully and yet it resolves to the latest.

It seems to be bit misleading when the project is resolving a different version of a dependency than the version which the developer has specified in Ballerina.toml.

Any insights are greatly appreciated.

Answer 1

The version specified in the Ballerina.toml file is considered the minimum required version (https://ballerina.io/learn/manage-dependencies/#update-dependency-versions). So if there are any higher versions, it will always resolve to that.

If the Dependencies.toml file had the versions you required, you could use the sticky option to stick to the versions in the Dependencies.toml file (https://ballerina.io/learn/manage-dependencies/#achieve-reproducible-builds). Otherwise, you may have to pull it manually and run the build with --offline