From 0add3cf0487264cb5f1dae19d92c3996535b50d8 Mon Sep 17 00:00:00 2001
From: Matt Farina <matt@mattfarina.com>
Date: Thu, 16 Jul 2020 11:03:08 -0400
Subject: [PATCH] Locking file URIs to a version in lockfile

Previously, if a range was specified for a file:// url as a
dependency the range would be put in the lockfile. Lockfiles are
designed to pin to a specific version and not support ranges. This
is for reproducibility.

The change here pins to a the specific version of the chart
specified using the file:// when update is run.

Signed-off-by: Matt Farina <matt@mattfarina.com>
---
 internal/resolver/resolver.go      | 13 +++++++++++--
 internal/resolver/resolver_test.go | 11 +++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/internal/resolver/resolver.go b/internal/resolver/resolver.go
index cec29c947..c72a39e82 100644
--- a/internal/resolver/resolver.go
+++ b/internal/resolver/resolver.go
@@ -27,6 +27,7 @@ import (
 	"github.com/pkg/errors"
 
 	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/helmpath"
 	"helm.sh/helm/v3/pkg/provenance"
 	"helm.sh/helm/v3/pkg/repo"
@@ -68,14 +69,22 @@ func (r *Resolver) Resolve(reqs []*chart.Dependency, repoNames map[string]string
 		}
 		if strings.HasPrefix(d.Repository, "file://") {
 
-			if _, err := GetLocalPath(d.Repository, r.chartpath); err != nil {
+			chartpath, err := GetLocalPath(d.Repository, r.chartpath)
+			if err != nil {
+				return nil, err
+			}
+
+			// The version of the chart locked will be the version of the chart
+			// currently listed in the file system within the chart.
+			ch, err := loader.LoadDir(chartpath)
+			if err != nil {
 				return nil, err
 			}
 
 			locked[i] = &chart.Dependency{
 				Name:       d.Name,
 				Repository: d.Repository,
-				Version:    d.Version,
+				Version:    ch.Metadata.Version,
 			}
 			continue
 		}
diff --git a/internal/resolver/resolver_test.go b/internal/resolver/resolver_test.go
index 0b0c3a6f8..f59188508 100644
--- a/internal/resolver/resolver_test.go
+++ b/internal/resolver/resolver_test.go
@@ -82,6 +82,17 @@ func TestResolve(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "repo from valid local path with range resolution",
+			req: []*chart.Dependency{
+				{Name: "base", Repository: "file://base", Version: "^0.1.0"},
+			},
+			expect: &chart.Lock{
+				Dependencies: []*chart.Dependency{
+					{Name: "base", Repository: "file://base", Version: "0.1.0"},
+				},
+			},
+		},
 		{
 			name: "repo from invalid local path",
 			req: []*chart.Dependency{