When a package appears both as a top-level exact-pinned requirement (foo==1.0) and as a transitive dependency of another top-level requirement (bar depends on foo>=0.9), the cooldown check can block or downgrade the transitive resolution even though the user explicitly approved that version.
Steps to reproduce
- Requirements file with multiple top-level pins:
bar depends on foo>=0.9foo 1.0 was published within the cooldown window (e.g., 2 days ago, cooldown is 7 days)- Run bootstrap with
--min-release-age 7
What happens
foo==1.0 resolves successfully (top-level exact pin bypasses cooldown)bar==2.0 resolves successfully- When
bar's transitive dependency foo>=0.9 is resolved, it goes through a separate resolution path with req_type=INSTALL. Cooldown is enforced, blocking version 1.0
- Result: either an older version is selected (contradicting the pin) or resolution fails
Root cause
resolve_package_cooldown() in resolver.py only bypasses cooldown for req_type == TOP_LEVEL with an exact == pin. The transitive resolution uses a different requirement string (foo>=0.9 vs foo==1.0), so the session cache is also a miss. The resolver has no way to know that this package+version was already approved as a top-level pin.
Expected behavior
If a package already has a top-level exact-pinned entry in the dependency graph, cooldown should be bypassed when the same package is resolved as a transitive dependency.
Suggested fix
In resolve_package_cooldown(), check the dependency graph for an existing top-level exact-pinned entry for the package. If one exists, return None (bypass cooldown) for transitive resolution of the same package.
When a package appears both as a top-level exact-pinned requirement (
foo==1.0) and as a transitive dependency of another top-level requirement (bardepends onfoo>=0.9), the cooldown check can block or downgrade the transitive resolution even though the user explicitly approved that version.Steps to reproduce
bardepends onfoo>=0.9foo1.0 was published within the cooldown window (e.g., 2 days ago, cooldown is 7 days)--min-release-age 7What happens
foo==1.0resolves successfully (top-level exact pin bypasses cooldown)bar==2.0resolves successfullybar's transitive dependencyfoo>=0.9is resolved, it goes through a separate resolution path withreq_type=INSTALL. Cooldown is enforced, blocking version 1.0Root cause
resolve_package_cooldown()inresolver.pyonly bypasses cooldown forreq_type == TOP_LEVELwith an exact==pin. The transitive resolution uses a different requirement string (foo>=0.9vsfoo==1.0), so the session cache is also a miss. The resolver has no way to know that this package+version was already approved as a top-level pin.Expected behavior
If a package already has a top-level exact-pinned entry in the dependency graph, cooldown should be bypassed when the same package is resolved as a transitive dependency.
Suggested fix
In
resolve_package_cooldown(), check the dependency graph for an existing top-level exact-pinned entry for the package. If one exists, returnNone(bypass cooldown) for transitive resolution of the same package.