Upgrading a dependency with --selective-upgrade doesn't seem to work with 2018.6.25

[mark-adams]

Running using the latest release (2018.6.25), selective upgrades don't appear to work as expected. (If I'm doing something wrong, please let me know :-) )

This was originally filed as #2410 but was closed out because it was thought to have been fixed in the latest release.

/home/madams/.local/venvs/pipenv/bin/python -m 'pipenv.help'

$ python -m pipenv.help output

Pipenv version: '2018.6.25'

Pipenv location: '/home/madams/.local/venvs/pipenv/local/lib/python2.7/site-packages/pipenv'

Python location: '/home/madams/.local/venvs/pipenv/bin/python'

Other Python installations in PATH:

• 2.7: /usr/bin/python2.7

• 2.7: /usr/bin/python2.7

• 3.6: /usr/bin/python3.6m

• 3.6: /usr/bin/python3.6

• 2.7.15: /usr/bin/python

• 2.7.15: /usr/bin/python2

• 3.6.5: /usr/bin/python3

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '0',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '4.15.0-23-generic',
 'platform_system': 'Linux',
 'platform_version': '#25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018',
 'python_full_version': '2.7.14',
 'python_version': '2.7',
 'sys_platform': 'linux2'}

System environment variables:

• GOPATH
• PYPI_PASSWORD
• IM_CONFIG_PHASE
• LESS
• QT4_IM_MODULE
• GJS_DEBUG_OUTPUT
• PROJECT_HOME
• LC_CTYPE
• WINDOWPATH
• XDG_CURRENT_DESKTOP
• XDG_SESSION_TYPE
• TERM_PROGRAM_VERSION
• QT_IM_MODULE
• LOGNAME
• USER
• PATH
• XDG_VTNR
• HOME
• VSCODE_IPC_HOOK
• VIRTUALENVWRAPPER_SCRIPT
• ZSH
• DISPLAY
• XDG_SESSION_DESKTOP
• LANG
• TERM
• VIRTUALENVWRAPPER_WORKON_CD
• XAUTHORITY
• SESSION_MANAGER
• XDG_DATA_DIRS
• DEBFULLNAME
• MANDATORY_PATH
• QT_ACCESSIBILITY
• GNOME_DESKTOP_SESSION_ID
• CLUTTER_IM_MODULE
• TEXTDOMAIN
• GNOME_TERMINAL_SERVICE
• EDITOR
• XMODIFIERS
• GPG_AGENT_INFO
• VSCODE_NLS_CONFIG
• USERNAME
• WORKON_HOME
• GTK_IM_MODULE
• VSCODE_CLI
• XDG_RUNTIME_DIR
• VIRTUALENVWRAPPER_PROJECT_FILENAME
• ELECTRON_NO_ATTACH_CONSOLE
• SSH_AUTH_SOCK
• VTE_VERSION
• GDMSESSION
• KRB5CCNAME
• TEXTDOMAINDIR
• GNOME_SHELL_SESSION_MODE
• SHELL
• PIP_PYTHON_PATH
• PYTHONDONTWRITEBYTECODE
• TERM_PROGRAM
• XDG_SESSION_ID
• DBUS_SESSION_BUS_ADDRESS
• _
• DEFAULTS_PATH
• ATOM_REPOS_HOME
• DESKTOP_SESSION
• LSCOLORS
• XDG_CONFIG_DIRS
• VIRTUALENVWRAPPER_HOOK_DIR
• VSCODE_NODE_CACHED_DATA_DIR_5546
• XDG_SEAT
• VSCODE_NODE_CACHED_DATA_DIR_29546
• OLDPWD
• DEBEMAIL
• GTK_MODULES
• SHLVL
• PWD
• PYPI_USERNAME
• COLORTERM
• CHROME_DESKTOP
• GSM_SKIP_SSH_AGENT_WORKAROUND
• XDG_MENU_PREFIX
• LS_COLORS
• PAGER
• GJS_DEBUG_TOPICS
• GNOME_TERMINAL_SCREEN

Pipenv–specific environment variables:

Debug–specific environment variables:

• PATH: ./node_modules/.bin:/home/madams/.cargo/bin:/usr/local/go/bin:./node_modules/.bin:/home/madams/.cargo/bin:/usr/local/go/bin:./node_modules/.bin:/home/madams/.cargo/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/madams/dev/go/bin:/usr/lib/scala/bin:/home/madams/.rvm/bin:/opt/node/bin:/home/madams/.local/bin:/home/madams/dev/go/bin:/usr/lib/scala/bin:/home/madams/.rvm/bin:/opt/node/bin:/home/madams/.local/bin:/home/madams/dev/go/bin:/usr/lib/scala/bin:/home/madams/.rvm/bin:/opt/node/bin:/home/madams/.local/bin
• SHELL: /usr/bin/zsh
• EDITOR: vim
• LANG: en_US.UTF-8
• PWD: /home/madams/dev/pipenv-selective-upgrade-test

---

Contents of Pipfile ('/home/madams/dev/pipenv-selective-upgrade-test/Pipfile'):

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[dev-packages]

[packages]
arrow = "*"
requests = "*"

[requires]
python_version = "3.6"

Contents of Pipfile.lock ('/home/madams/dev/pipenv-selective-upgrade-test/Pipfile.lock'):

{
    "_meta": {
        "hash": {
            "sha256": "0315ef9be6d34b575d5d8214db33cd0167cdd98c08b5a7b1fea08ed32ffe220f"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "arrow": {
            "hashes": [
                "sha256:c266f0db8f7aeb79764ce3c0aca6cb88978cfd27bfb9fb7588405b5ed331fd3e"
            ],
            "index": "pypi",
            "version": "==0.9.0"
        },
        "certifi": {
            "hashes": [
                "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
                "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
            ],
            "version": "==2018.4.16"
        },
        "chardet": {
            "hashes": [
                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
            ],
            "version": "==3.0.4"
        },
        "idna": {
            "hashes": [
                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
            ],
            "version": "==2.7"
        },
        "python-dateutil": {
            "hashes": [
                "sha256:1adb80e7a782c12e52ef9a8182bebeb73f1d7e24e374397af06fb4956c8dc5c0",
                "sha256:e27001de32f627c22380a688bcc43ce83504a7bc5da472209b4c70f02829f0b8"
            ],
            "version": "==2.7.3"
        },
        "requests": {
            "hashes": [
                "sha256:421cfc8d9dde7d6aff68196420afd86b88c65d77d8da9cf83f4ecad785d7b9d6",
                "sha256:cc408268d0e21589bcc2b2c248e42932b8c4d112f499c12c92e99e2178a6134c"
            ],
            "index": "pypi",
            "version": "==2.19.0"
        },
        "six": {
            "hashes": [
                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
            ],
            "version": "==1.11.0"
        },
        "urllib3": {
            "hashes": [
                "sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf",
                "sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5"
            ],
            "version": "==1.23"
        }
    },
    "develop": {}
}

---

Expected result

If I run pipenv install --selective-upgrade requests, I expect the lockfile to be updated to requests==2.19.1 and the new version to be installed in the virtualenv.

Actual result

The lockfile is not updated and the new version of requests is not installed.

Steps to replicate

1. Clone https://github.com/mark-adams/pipenv-selective-upgrade-test
2. Run pipenv install
3. Run pipenv install --selective-upgrade requests

[mark-adams]

$ pipenv install --selective-upgrade requests
Installing requests...
Collecting requests
  Using cached https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl
Requirement not upgraded as not directly required: chardet<3.1.0,>=3.0.2 in /home/madams/.venv/pipenv-selective-upgrade-test-tRat6HU7/lib/python3.6/site-packages (from requests) (3.0.4)
Requirement not upgraded as not directly required: urllib3<1.24,>=1.21.1 in /home/madams/.venv/pipenv-selective-upgrade-test-tRat6HU7/lib/python3.6/site-packages (from requests) (1.23)
Requirement not upgraded as not directly required: idna<2.8,>=2.5 in /home/madams/.venv/pipenv-selective-upgrade-test-tRat6HU7/lib/python3.6/site-packages (from requests) (2.7)
Requirement not upgraded as not directly required: certifi>=2017.4.17 in /home/madams/.venv/pipenv-selective-upgrade-test-tRat6HU7/lib/python3.6/site-packages (from requests) (2018.4.16)
Installing collected packages: requests
  Found existing installation: requests 2.19.0
    Uninstalling requests-2.19.0:
      Successfully uninstalled requests-2.19.0
Successfully installed requests-2.19.1

Adding requests to Pipfile's [packages]...
Installing dependencies from Pipfile.lock (fe220f)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 8/8 — 00:00:01
To activate this project's virtualenv, run pipenv shell.
Alternativaly, run a command inside the virtualenv with pipenv run.

[techalchemy]

Sorry for the hoops! I am bad at reading when I’m in a hurry :( this looks like a caching issue. If you rm -rf ~/.cache/pipenv or wherever your cache dirs are stored and try again it should work. Not sure if or how we need to handle this going forward

[techalchemy]

Also, let me know if that does work

[mark-adams]

@techalchemy I tried removing the cache as you suggested but am still experiencing the issue.
Do you get the same behavior when you clone my example repository?

[DaveKlassen]

With pipenv, version 2018.6.25:
During a pipenv install with requests = "*" in the Pipfile, I am getting this:

pipenv install
Pipfile.lock not found, creating...
Locking [dev-packages] dependencies...
Locking [packages] dependencies...
t)
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/resolve.py", line 107, in resolve
self._resolve_one(requirement_set, req)
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/resolve.py", line 264, in _resolve_one
abstract_dist = self._get_abstract_dist_for(req_to_install)
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/resolve.py", line 214, in _get_abstract_dist_for
self.require_hashes
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/operations/prepare.py", line 328, in prepare_linked_requirement
abstract_dist.prep_for_dist(finder, self.build_isolation)
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/operations/prepare.py", line 158, in prep_for_dist
self.req.run_egg_info()
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_internal/req/req_install.py", line 502, in run_egg_info
metadata_name = canonicalize_name(self.pkg_info()["Name"])
File "/usr/lib/python2.7/site-packages/pipenv/patched/notpip/_vendor/packaging/utils.py", line 16, in canonicalize_name
return _canonicalize_regex.sub("-", name).lower()
TypeError: expected string or buffer
/usr/lib/python2.7/site-packages/pipenv/_compat.py:108: ResourceWarning: Implicitly cleaning up <TemporaryDirectory '/tmp/pipenv-AowrA0-requirements'>
warnings.warn(warn_message, ResourceWarning)

/usr/lib/python2.7/site-packages/pipenv/_compat.py:108: ResourceWarning: Implicitly cleaning up <TemporaryDirectory '/tmp/pipenv-reyGF6-requirements'>
warnings.warn(warn_message, ResourceWarning)

This does not occur with pipenv v11.10.4

[techalchemy]

@mark-adams yeah I can replicate this for sure.

@DaveKlassen that is a completely separate issue and I believe I have that fixed in #2417 but if not youre going to have to open another issue.

[mark-adams]

Ah, ok. It's good to know that I'm not crazy.

Thanks for taking a look. This has had us super confused for several days about how upgrading a single dependency is supposed to work. 😝

[techalchemy]

@mark-adams I was confused too because I thought I fixed this but apparently I fixed pipenv update --selective-upgrade requests which would work (but not as specifically as you’d like it to yet, we are still paying for old practices).

[mark-adams]

Ah, gotcha. I've just confirmed that pipenv install --selective-upgrade requests still doesn't work on latest master (a2a1936)

[techalchemy]

yeah I'm going to fix it properly so it only actually updates one (currently it just re-locks if you use the update version).

[tobias-hd]

I'm having the same issue with v2018.7.1.

Actually I don't get so far what is the recommended command to update a single package.
Either pipenv install --selective-upgrade requests, or pipenv update requests, as proposed here:
example-pipenv-upgrade-workflow

Both ways do not work currently; they seem to update everything.

[techalchemy]

If you have a problem with a thing that is different from the one described please open a new issue. It’s really hard to troubleshoot issues without details. All commands are supposed to work.

[mark-adams]

Hi @techalchemy, is there a fix for this available yet? Any way I can help?

[mikicz]

Soooo... Any progress on this? I updated Pipenv to 2018.11.26 (latest at the time of writing) and the workflow still doesn't work...

[geoffroy-noel-ddh]

Am I right in thinking that, due to this bug, there is currently no available command to upgrade a single package?

It seems the only way at the moment to upgrade a package without changing the locked versions of the other packages in Pipfile.lock is by doing this:

pipenv uninstall PACKAGENAME && pipenv install --selective-upgrade "PACKAGENAME"

[p-himik]

@geoffroy-noel-ddh Interestingly, in my case it still upgrades all packages. Pipenv 2018.11.26.

[geoffroy-noel-ddh]

@geoffroy-noel-ddh Interestingly, in my case it still upgrades all packages. Pipenv 2018.11.26.

Thanks @p-himik , you're right, uninstall locks everything. This should work:

pipenv uninstall --keep-outdated "PACKAGENAME" && pipenv install --selective-upgrade "PACKAGENAME"

[samwblink]

@geoffroy-noel-ddh

I am also seeing all packages being updated when using:

pipenv uninstall --keep-outdated "PACKAGENAME" && pipenv install --selective-upgrade "PACKAGENAME"

Pipenv Version: 2018.11.26

[salty-horse]

One thing I'm unclear of regarding this bug report:

Is pipenv install EXISTING_INSTALLED PACKAGE even supposed to upgrade a package, rather than install its Pipenv.lock-specified version? The official docs at Example Pipenv Upgrade Workflow suggest you're supposed to use the update command for that, and not install.

I'm trying to debug the related issue mentioned above where installing a new package with install --selective-upgrade PKGNAME, or upgrading an existing package with update --selective-upgrade PKGNAME insists on updating all packages.

It's hard to understand what's the intended behavior is -- there's the --selective-upgrade flag, which only modifies the pip command with --upgrade-strategy=only-if-needed (but doesn't stop pipenv from trying to upgrade all packages), and the different --keep-outdated which does other unclear things. The behavior of both flags are not clearly documented.

As they are currently documented, it makes sense that if I run pipenv install to install the packages as listed in the Pipfile, then running pipenv update --selective-upgrade --keep-outdated should do nothing (or even error). But it updates all the packages.

[fredrikaverpil]

Has anyone found any way to upgrade a single package?
According to the docs, you are supposed to run pipenv update <pkg>, however this updates all packages in my Pipfile.lock.
I'm on Windows 10, Python 3.7.1 and pipenv 2018.11.26 in a venv.

[fredrikaverpil]

I dug some in the core.py file. The --selective-upgrade option is only actually doing something when executing pipenv install. What happens here is that the do_install function actually upgrades the package at hand. But then pipenv runs the do_lock function without dealing with the fact that the package was just upgraded. So effectively, do_lock downgrades the package back to its original version.

The docs are just simply wrong right now on that you are supposed to be able to run pipenv update <package>.

[petarnikolovski]

I'm using 2018.11.26 version and pipenv update <package> is still not working (it actually update almost all packages except the one I explicitly defined). @kenneth-reitz will there be a fix for this issue?

[chrish42]

This is the last major blocker for using Pipfile for us, and for many others I guess. Hence the high number of comments and level of energy here.

I know that the volunteer (thank you) maintainers are very busy, but just posting either about upstream requirements that are blocking this (maybe this needs a new feature in pip?), or giving a sketch of a solution (to allow people who are not experts to potentially help) would to a lot to alleviate things during the time while this issue stays open. At least if there was a sketch of a solution, I would look to see if there is a piece I could pick up.

[apiraino]

I've found this issue because today I was confused on why it seems I cannot update a single package and update the Pipenv file itself.

What exactly is the right workflow to update Pipfile and Pipfile.lock for just one package? (I'm possibly missing something, of course, so thanks for any clarifications).

EDIT: fixed typos :-)

[revolter]

You can use this workaround:

1. Specify an exact version of the package in the Pipfile.
2. Specify the current version of the rest of the packages in the Pipfile.
3. Run pipenv install, in which case the Pipfile.lock file will be updated to include this new version.
4. Remove the exact versions specified in the Pipfile.

[jedie]

That issue is really a problem :(

@revolter To your workaround: How to generate a Pipfile with exact versions?!? I don't see an easy way to do that. The output of "pip freeze" doesn't help here because I want to keep the sections "default" and "develop".

[revolter]

@jedie, What I meant was simply to use any text editor to specify it.

As an example, instead of:

requests = "*"

you should change it to:

requests = "==2.20.1"

for the step 1. in my previous message. And then change it back in the step 4..

[jonapich]

@revolter pinning a version will not prevent other packages to be updated to the Pipfile.lock unless you pin them all, which is exactly what pipenv is supposed to fix in the first place :P

This really really really need to be fixed.

[jonapich]

Here's the procedure I used to bump a single package for a hotfix scenario:

1. Run pipenv update to update pipfile.lock
2. Only stage the lines related to your package in the pipfile.lock
3. Revert all other lines to what they were prior
4. Recreate the environment completely by running pipenv --rm followed by pipenv sync --dev
5. Run pipenv graph and carefully inspects the output: validate that the minimum requirements are met.

This could probably get messy when a lot of inter-dependencies are involved, but in my specific case it was straightforward.

[ramonmoraes]

I've followed the @jonapich instructions, but it did not worked out, because at my company CI we use the flag --deploy, which check the hash of the Pipfile.lock

[jonapich]

Maybe this can help: #3461 (comment)

If you want to upgrade a specific package, you must do it with pipenv install --selective-upgrade (which naturally will add it to your lockfile)

[revolter]

@revolter pinning a version will not prevent other packages to be updated to the Pipfile.lock unless you pin them all, which is exactly what pipenv is supposed to fix in the first place :P

This really really really need to be fixed.

You don't tell :| So that's why you downvoted my comment? I obviously know that this is an issue, and that it should be fixed. I was just providing a workaround until this gets fixed.

Only stage the lines related to your package in the pipfile.lock

This is flawed if the package to update has dependencies that also need to be updated.

[tomchop]

Adding another scenario here: in my project, I'm using two libraries that have recently started having conflicting dependencies. I'm perfectly fine to keep the versions that do not conflict, but I still want to apply hot patches for other stuff. Because any update command ends up attempting to update everything, this new dependency conflicts prevents me from updating any, and all of my dependencies.

[rooom13]

This still does not work in pipenv 2020.11.15

[yesthesoup]

Still an issue in pipenv 2020.11.15 for me as well.

After losing a bunch of time to pipenv today, here's my workaround:

1. Figure out the version you want to install, in my case the latest requests, 25.2.1
2. pipenv install --keep-outdated 'requests==25.2.1' will just update to that version
3. verify Pipfile.lock shows new version, then git checkout -- Pipfile to revert to what you had before, in my case requests = "*"
4. verify correct version is installed

$ pipenv graph | ack requests # or grep
  - requests [required: >=2.7.9, installed: 2.25.1]
[...]

[testchange]

For those who are adding new library but do not want to change the existing dependencies that are already in Pipfile.lock then just need to run the following command:

pipenv install --keep-outdated <YOUR_LIBRAY>

[leeming87v5]

This still does not work in pipenv 2021.11.15

[fredrikaverpil]

I don't expect this to ever work as expected, given how tangled up this code is. I moved on to poetry ages ago, primarily because of this.