Pipenv does not follow URL-based subdependencies of a URL-based dependency

[selik]

I have three projects. Project A depends on B, which in turn depends on C. Each is private, hosted in GitHub. Project A in its Pipfile specifies its dependency on B via URL B = {editable = true,git = "ssh://git@github.com/selik/B.git"}. Project B specifies its dependency on C in its setup.cfg file using PEP-508 standard for URL-based dependencies C @ git+ssh://git@github.com/selik/C.git#egg=C.

Unfortunately, the real name I chose for Project C happens to collide with a project listed on PyPI. When Pipenv installs all of Project A's dependencies, I get the PyPI project C instead of my personal project C.

I can work around this by listing my personal project C as a direct dependency of project A. This is frustrating, because of the difficulty diagnosing the issue and the increased maintenance burden for anything which depends on Project B.

It looks like this feature was merged into Pip with pypa/pip#5571 in July 2018, but I'm not sure from the conversation in that thread.

[zicvic]

I have the same issue, three packages in a chain dependency fasion.. wrote about it here yesterday but I guess this is a better place, will copy paste it here

[lounis]

Hi @zicvic @selik
yes we have the same issue https://github.com/pypa/pipenv/issues/3976#issuecomment-549820776

[zicvic]

Hi @zicvic @selik
yes we have the same issue https://github.com/pypa/pipenv/issues/3976#issuecomment-549820776

Hi! Have any of you looked into where this would resolve in the code and have an idea for how to fix this? I'm a little bit tied up for the coming three weeks but after that I could take a look and see if I can come up with a solution since it doesn't seem to be anyone working on this at the moment.

[selik]

@zicvic You might want to check out how Pip solved it in pypa/pip#5571

[vashek]

I'm getting bitten by this, too. Is there any known workaround?

[davegravy]

I'm getting bitten by this, too. Is there any known workaround?

I ended up launching my own private pypi server and publishing to it so I could stop using url references

[thehesiod]

I'm having the issue with just one level, I have a pip module (fbn-googleapi) on our own pypi server, and in that module's setup.py it has the req: google-api-python-client @ git+https://github.com/thehesiod/google-api-python-client.git@thehesiod/batch-retries#egg=google-api-python-client, the Pipfile.lock that that generates is just

            "hashes": [
                "sha256:3121d55d106ef1a2756e8074239512055bd99eb44da417b3dd680f9a1385adec",
                "sha256:a8a88174f66d92aed7ebbd73744c2c319b4b1ce828e565f9ec721352d2e2fb8c"
            ],
            "version": "==1.7.11"
        },

instead of an editable link to the github repo.

I have to add google-api-python-client = {editable = true,git = "https://github.com/thehesiod/google-api-python-client.git",ref = "thehesiod/batch-retries"} to the Pipfile to make lock work correctly :(

[thehesiod]

this is definitely still broken in my scenario, just tried with 2021.11.23