Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

An error occurred while installing <non-pypi packagename>

See original GitHub issue

Using pipenv version 8.2.6 with a Pipfile containing references to packages that are served from non-PyPi [[source]]s results in a recoverable error. Given a Pipfile like this, where requests comes from the public PyPi and (for the sake of example) secret-sauce comes from on-prem-pypi.company.com:

[[source]]
url = "https://on-prem-pypi.company.com"
verify_ssl = true

[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true

[packages]
requests = "*"
secret-sauce = "==1.2.3"

Running pipenv install results in output like:

Pipfile.lock not found, creating…
Locking [packages] dependencies…
Updated Pipfile.lock (a1679f)!
Installing dependencies from Pipfile.lock (a1679f)…
An error occurred while installing secret-sauce==1.2.3! Will try again.
Installing initially–failed dependencies…
Success installing secret-sauce==1.2.3! — 00:00:00

It seems as though the initial failure was because pipenv failed to find secret-sauce on PyPi, which makes sense, but would it be possible or pipenv to check all sources before emitting the error? It’s unsettling to see errors when in fact everything is fine once the appropriates sources are contacted.

Or, perhaps even better and more secure: Is it possible to declare that secret-sauce only comes from on-prem-pypi.company.com to avoid contacting other sources entirely? Without such a declaration, it would be possible for an attacker to claim secret-sauce after-the-fact on PyPi and potentially run unexpected code on systems that expected secret-sauce to be fetched from a different source.

Thanks for a great project!