Dep ensure -update indicates out-of-sync when files in sync; proj isn't

[akutz]

Dep Version

v0.3.0, darwin-amd64 - Downloaded from GitHub releases page

What dep command did you run?

$ dep ensure -v -update github.com/akutz/gofig
Gopkg.toml and Gopkg.lock are out of sync. Run a plain dep ensure to resync them before attempting to -update

What did you expect to see?

I expected that the gofig dependency would be updated.

What did you see instead?

Gopkg.toml and Gopkg.lock are out of sync. Run a plain dep ensure to resync them before attempting to -update

Addendum

The fact is that the Gopkg.toml and Gopkg.lock files were in sync. I even checked them both out from upstream/master to ensure it. I then had the idea to run dep status, and that's when I figured out what appears to have been the issue:

$ dep status
Lock inputs-digest mismatch due to the following packages missing from the lock:

PROJECT                     MISSING PACKAGES
github.com/sirupsen/logrus  [github.com/sirupsen/logrus]  

This happens when a new import is added. Run `dep ensure` to install the missing packages.

The above output indicates that the dependency github.com/sirupsen/logrus is missing from the lock. That's true, but it's also not in the toml file. It is in the project as I'd already updated the Go import statements to reflect the new case of sirupsen.

It appears to me that an out-of-sync error is given when it's not the files that are out of sync, but the project that includes imports for packages not reflected either in the toml or lock file. Is this the intended behavior? Even if so I think a better error could be provided to indicate it's the project that is out of sync.

[ibrasho]

According to dep model:

The first input is both Gopkg.toml and the project imports (from code). The error message should reflect that the input-hash could change due to a modification in any of them (and therefore Gopkg.lock becomes out of sync).