-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pipenv lock --keep-outdated does not respect Pipfile.lock constraints #4031
Comments
Same as #3975? |
yes, this is the same issue, sub-dependencies are updated due to the behavior described above. |
I'll link this one too: #4055 |
Nothing new on this issue ? It's a real problem to don't have the ability to generate requirements that stricly respect Pipfile.lock Maybe only the integration of the --ignore-pipfile flag can allow this functionnality to work well ? |
Can this be rechecked on the latest |
I am reposting this explanation from a similar issue report recently #4055 (comment): Sorry, I re-read the issue report, and I have to explain that
This isn't true, what you are asking for is that the default behavior of install to be What you should be doing instead is actually picking proper specifiers for your project in the Thanks for pointing out that other comment in that thread that has so many likes -- to me it represents a complete misunderstanding of what the pip resolver is capable of and the kind of guarantees it provides when you use it properly. Either way |
The issue itself is a strong indicator that |
@matteius apologies for splitting your comment in parts, but it'll be easier to reply to a couple of statements you made this way:
I believe this is your private opinion, but as I'm coming from 'bundler' world in Ruby I can confirm that this at least is true there, to back it up with something, I'll at least mention the "principle of least surprise", which pipenv is currently violating. Also the fact that pipenv install alters other, unrelated package dependencies sounds like "feature envy". This also resembles the "git commit" situation. Compare
Most people do that already, but still, even if I specify
Lastly , this is a different story. A flawed implementation does not mean the whole concept is wrong. At least pipenv should have a sane option of keeping the unrelated packages untouched. Perhaps fixing this implementation will be a good compromise. |
The other unrelated packages are actually related to your
it could be avoided in the first place by recognizing this fact (which you have) and then pinning it in your Pipfile until you are ready to put the time into testing the upgrade of
This is not how the The common problem theme here with |
@januszm I noticed you thumbs downed my last comment, but its the truth. I re-read your comment, one more advice:
That is because the tilde operator allows it to upgrade the minor version of the specifier, if you want it pinned to 2.2 use I am happy to discuss this more and further explain the problems of |
I can see where my response was a bit quick the other night, but it was late for me. I'd like to suggest that while I once thought maybe the
Given this, what happens is the lock file is generated from a resolution of all the Pipfile specifiers. When you use a tilde, you are using a loose specifier meaning you don't mind if the package version changes--there is a formula for how the tilde is computed that I won't go into here/now (would require me to look it up again). My focus on this thread is around the resolver phase. Your inputs go in an a resolved set of packages comes out. Following that, how keep outdated works is it takes the lock resolution of the new resolver result, and merges it with what the older resolver result was, in a simplistic way of saying what ever package are already in the lock file I'll keep. This logic doesn't have any resolver accountability, and so the result may not be installable or worse, it may install but be totally incompatible. There really isn't a way to solve for this without having the specifers you care about in the Pipfile such that they are used in the new lock resolution and respected in the final lock file output. Here is the code I am referring to: https://github.com/pypa/pipenv/blob/main/pipenv/core.py#L1209-L1228 Sorry if I stepped on any toes, but I think its important to reduce the specification of pipenv to what can actually be supported without issues. The docs only reference this about These are pretty old docs too and the statement doesn't make a lot of sense as written. I think what it should be suggesting is to only keep top level dependencies and ones you know you want pinned in the Pipfile and let the lockfile manage the rest. You don't need |
I believe this is more of your own opinion rather than universal truth. I noticed that you and probably other pipenv maintainers have a fundamentally different understanding of how a dependency management system should work when it comes to package installation. Since there are so many differences here, it seems that the Python community needs another system as an alternative to pipenv. It's a pity, because it's always more effective to focus all efforts and budget on improving one solution, as was the case with I think I'll end my participation in this discussion here because neither I nor others present here (and in related issues) will convince you to change the design decisions regarding the installation, nor, as you have probably noticed, you will not convince others. |
Well until I hear an actual proposal that would make |
I know I'm way late for the discussion, but I'd like to add a case that might justify the feature request. |
@sidneydemoraes since we removed EDIT: Actually it sounds like you are saying that you did not pin regex in your Pipfile, just dateparser, and somehow pipenv should be able to figure out that despite the constraint allowing the latest regex, that it shouldn't use it? This gets back to the fact pipenv cannot magically figure out that a newer version breaks and wasn't restricted properly. The recommendation is to add additional Pins to the Pipfile as that is the spec, and Pipfile.lock is the generated lock file. |
Issue description
When I have Pipfile with a non-locked dependency (
*
) but the dependency is locked in Pipfile.lockand then I lock dependencies with
--keep-outdated
flag in the current constraints latest available version of the package is used.Pipfile
Pipfile.lock
verbose output
Expected result
verbose output
In the case of pytest it results in not installing proper sub-dependencies. Version 5.3 dropped the requirement for
atomicwrites
, so the newly generated Pipfile.lock does not contain it, but since version of pytest which I actually use is 5.2.2 I'm getting an ImportErrorThe text was updated successfully, but these errors were encountered: