Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Extras in dev dependencies are not locked

See original GitHub issue

When I add a regular dependency, but also add it with additional extras in --dev, the extra required packages are not recorded in Pipfile.lock.

For example, requests[secutity] requires cryptography, but (for some reason) I only want the security extra for development:

$ pipenv install requests
...
$ pipenv install --dev 'requests[security]'
...
$ grep cryptography Pipfile.lock
# (no output)
$ pipenv run python -c 'import cryptography as c; print(c)'
<module 'cryptography' from '...'>
$ pipenv clean
Uninstalling 'asn1crypto'…
Uninstalling 'cffi'…
Uninstalling 'cryptography'…
Uninstalling 'pycparser'…
Uninstalling 'pyopenssl'…
Uninstalling 'six'…
$ pipenv install --dev
...
$ pipenv run python -c 'import cryptography as c; print(c)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'cryptography'

Expected result

The cryptography package’s hash should be recorded in Pipfile.lock, and if it gets uninstalled, pipenv install --dev should re-install it.

Actual result

The extra’s requirements are not in Pipfile.lock; pipenv install --dev doesn’t re-install them.

Steps to replicate

See above.

Resulting Pipfile

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
requests = "*"

[dev-packages]
requests = {extras = ["security"]}

[requires]
python_version = "3.6"

Issue Analytics

State:
Created 5 years ago
Reactions:3
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

bbc2commented, Feb 25, 2019

I would like to add that this issue is more subtle, and more likely to occur, than what I’ve read so far.

For instance, with the following Pipfile:

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]
fakeredis = "*"

[packages]
rq = "*"

[requires]
python_version = "3.7"

You end up with the wrong version of the redis package:

fakeredis==1.0.2
  - redis [required: <3.2, installed: 3.2.0]
  - six [required: >=1.12, installed: 1.12.0]
  - sortedcontainers [required: Any, installed: 2.1.0]
rq==0.13.0
  - click [required: >=5.0, installed: 7.0]
  - redis [required: >=3.0.0, installed: 3.2.0]

As you can see, this is not just a matter of specifying the same dependency twice in your Pipfile. Maybe this should be a separate issue?

1reaction

techalchemycommented, Oct 9, 2018

As a brief update on this point – you could consider trying out https://github.com/sarugaku/passa which will lock (but only in an activated virtualenv) and write to the lockfile in a pipenv compatible format. It should handle conflicts gracefully and merge dependency sections as well.

Top Results From Across the Web

Manage Dependencies - PDM

Manage Dependencies#. PDM provides a bunch of handful commands to help manage your project and dependencies. The following examples are run on Ubuntu...

Python poetry - how to install optional dependencies?

Installing dependencies from lock file [ValueError] Extra [redis] is not specified. python · python-poetry · Share.

Commands | Documentation

This will resolve all dependencies of the project and write the exact versions into poetry.lock .

Managing Python Dependencies with Poetry

Dependency management and packaging tools for your Python project using poetry. How to install, configure and use it.

Dependency Management With Python Poetry

Pin Dependencies in poetry.lock; Install Dependencies From ... After an update, a package might not work as it did before the update.