[BUG] apm.lock.yaml changes on every apm install due to generated_at timestamp #450
Description
Describe the bug
Every run of apm install rewrites the generated_at field in apm.lock.yaml, even when no dependencies have changed. This makes the lockfile non-deterministic — every developer who runs apm install (e.g. as part of an update flow) produces a dirty git status with no meaningful change.
To Reproduce
- Run
apm installin a project with pinned dependencies - Commit
apm.lock.yaml - Run
apm installagain without changingapm.yml - Run
git diff apm.lock.yaml
-generated_at: '2026-03-25T13:55:32.146944+00:00'
+generated_at: '2026-03-25T18:00:13.328578+00:00'Expected behavior
apm install should not modify apm.lock.yaml when the resolved dependencies are identical. The lockfile should be stable across idempotent installs, like npm install or poetry lock behave — only changing when the dependency graph actually changes.
The current behavior incentivizes teams to .gitignore the lockfile to avoid noisy diffs, which defeats the purpose of having one.
Environment:
- OS: macOS
- Python Version: 3.12
- APM Version: 0.8.5
Additional context
A possible fix would be to either skip writing generated_at when the dependency entries haven't changed, or remove the field entirely — it doesn't contribute to reproducibility and actively harms determinism.