What does the lock file actually lock?

[rwillmer]

I don't understand what the Pipfile.lock file actually does.

I can see that it stores the hashes of the installed versions, and I can see that from that I can create a pinned requirements.txt file to use with pip.

But I don't see what it prevents from happening, if you don't use pip and only use pipenv.

There's mention of how it can be used to deploy to production, but an example would be great.

If some kind soul could explain what the "dev -> deploy to production" workflow is supposed to be here, I'd happily turn it into a Pull Request for the documentation.

P.S. Thanks for this, @kennethreitz , I love the graph and secure options...

[vphilippon]

The Pipfile.lock is the equivalent of a fully pinned requirements.txt. All the dependencies, including the transitive dependencies, are pinned to an exact version. Than means that using that file with pipenv, you can re-create the exact same virtual environnement with no change in the transitive dependencies.
That means if you install a venv using an existing Pipfile.lock, you won't have any surprise like "oh, this installation is broken because the package foobar has a new version that broke the compatibility".

For the "dev -> deploy to production" workflow example, I'll leave the example to one of the maintainer, as there's a thing or two I'm unsure in term of going from "dev mode" to "prod mode" myself.

[rwillmer]

Thanks, @vphilippon. I understand the principle of it recording the exact versions; but I hadn't seen any example of how you can actually use that file once created, that is, how do you install those versions from that file?

With a bit more digging around, I've found the "pipenv install --ignore-pipfile" option which I think it does the install from the lockfile; but that really isn't obvious.

I'll do a PR in the hope of making it a bit clearer.

[asmaier]

@rwillmer Unfortunately your change to the documentation was removed by the following commit:

21eab5a#diff-aff83a71607de84151c1cf4e0a893472

Maybe your example should be added again to the documentation. It made this important point much clearer.

[uranusjr]

The correct way to install from the lock file (without any input from Pipfile) is actually pipenv sync. The logic works like this:

• The user edits Pipfile to express what is wanted for the app
• pipenv lock takes that the user wants (from Pipfile), and resolve them into locked dependencies (Pipfile.lock)
• pipenv sync takes the locked dependencies (from Pipfile.lock), and install them into the environment.

pipenv install (without other arguments) is essentially lock + sync, so it is more like installing from Pipfile instead.

I would also like to mention that documentation contributions are very welcomed.

[55stella]

how does pip lock work.