steps

1. Run update task (or compile task that calls update) on a newly created project.

expectation

1. update internally calls resolveDependencies.
2. resolveDependencies performs Ivy resolution and persists the resulting dependency graph into a JSON file under src/sbt/resolveDependencies.json. This file might contain:
   a. SHA-1 of the input libraryDependencies, and SHA-1 of all libraryDependencies across the build ("build clock").
   b. URLs for all artifacts. Or an expression relative to resolvers.
   c. Timestamp for -SNAPSHOT resolution.
3. Using the persisted dependency graph, update task downloads required artifacts.

steps 2

1. The user git commits src/sbt/resolveDependencies.json.
2. Later day, some other user Bob git clones and runs compile task (that internally calls update).

expectation 2

4. compile internally calls update, which internally calls resolveDependencies.
5. resolveDependencies finds that there's a persisted dependency graph at src/sbt/resolveDependencies.json, and returns it without calling Ivy.
6. Using the returned dependency graph, update task downloads required artifacts.

steps 3

1. Bob adds commons-io 1.0 to libraryDependencies.
2. Bob reloads the build.
3. Bob runs compile.

expectation 3

7. compile internally calls update, which internally calls resolveDependencies.
8. Detecting the change in libraryDependencies, which changes the SHA-1 of all libraryDependencies ("build clock"), all resolveDependencies.json are invalidated, and performs Ivy resolution and overwrites the file.

note

This should work similar to Gemfile.lock.

In addition, by using our own caching mechanism, we should be able to avoid global Ivy locking when Ivy is not invoked. Note that it will need special handling for -SNAPSHOT.

Ref #290