Disallow reading flake.lock
With --no-write-lock-file, it's possible that flake.lock is out of sync with the actual inputs used by the evaluation. So doing fromJSON (readFile ./flake.lock) will give wrong results. Fixes #4639.
This commit is contained in:
parent
1fbaf36729
commit
e5596113f7
|
@ -1412,6 +1412,11 @@ static void prim_readFile(EvalState & state, const Pos & pos, Value * * args, Va
|
||||||
{
|
{
|
||||||
PathSet context;
|
PathSet context;
|
||||||
Path path = state.coerceToPath(pos, *args[0], context);
|
Path path = state.coerceToPath(pos, *args[0], context);
|
||||||
|
if (baseNameOf(path) == "flake.lock")
|
||||||
|
throw Error({
|
||||||
|
.msg = hintfmt("cannot read '%s' because flake lock files can be out of sync", path),
|
||||||
|
.errPos = pos
|
||||||
|
});
|
||||||
try {
|
try {
|
||||||
state.realiseContext(context);
|
state.realiseContext(context);
|
||||||
} catch (InvalidPathError & e) {
|
} catch (InvalidPathError & e) {
|
||||||
|
|
Loading…
Reference in a new issue