`dependency_services report` can select prerelease version even when the package is constrained to stable version

[chika3742]

Environment

Dart SDK version: 3.9.2 (stable) (Wed Aug 27 03:49:40 2025 -0700) on "macos_arm64"
macOS 26.0 25A5349a

Problem

I noticed that Dependabot had created an update pull request for a pre-release version in my repository.

After investigating, I found that the problem was not with Dependabot, but rather that Pub's dependency_services was not returning the correct results. Specifically, the report command of dependency_services was returning results that allowed updates to pre-release versions, even though the package constrained to stable versions.

Furthermore, this issue does not occur in simple projects with only a single dependency, but seems to happen only in projects with two or more complex dependencies as shown below.

name: dependabot_test
description: "A new Flutter project."

environment:
  sdk: '>=3.2.6 <4.0.0'

dependencies:
  flutter:
    sdk: flutter

  riverpod_lint: 2.6.5
  custom_lint: 0.7.6

Expected behavior

dependency_services report targeting riverpod_lint does not return any updates.

Actual behavior

dependency_services report targeting riverpod_lint returns updates to riverpod_lint 3.0.0-dev.17 and custom_lint 0.8.0 (multiBreaking).

--verbose output

[sigurdm]

The problem is not with dependency_services per se (as I guess you realized) but with the pub solver itself.

The pub solver is not searching the entire solution space looking for the best solution, but searching greedily for a solution, backtracking if it gets stuck. It is using a heuristic to try stable versions before non-stable. In some cases it is necessary to use a stable version, therefore your proposed PR would change the semantics of the solver (because it would disallow some solutions that are valid currently).

[chika3742]

@sigurdm I’ve adjusted the code so that almost all tests pass locally (the PR title might not have been very good). A few still fail, likely due to environmental differences and unrelated to version resolution. Could you allow me to run the CI once?