Outlaw packages with version =* from the lock file
See original GitHub issueI have come across a number of packages where one or more dependency has a version of *
i.e. latest or any but it is present in the lock file. This means that I cannot install that package unless:
- The current latest happens to match or
- I can guess which version it is supposed to be
It also results in automated tests such as travis failing after a time even if there have been zero code changes, e.g. a rebuild because of a documentation only change since the dependencies have moved on since the last time that there was a push to the project. This is an extra burden for the maintainers and tends to be a barrier for new contributors.
Describe the solution you’d like
I would like a version specifier of * to either result in the lock file being ignored for that package.
Describe alternatives you’ve considered
If a version specifier of *
with a SHA in lock was an error then this would tend to force the original authors to address the issue by specifying the specific version - but may be frustrating.
Additional context
An example of this happening: https://github.com/psf/requests-html/pull/338
Worker information
0.19s0.01s0.00s0.01s
system_info
Build system information
0.02s0.01s0.35s0.28s0.06s0.00s0.05s0.00s0.01s0.01s0.01s0.01s0.01s0.00s0.00s0.03s0.00s0.01s0.41s0.00s0.00s0.00s0.01s0.00s0.13s0.01s0.95s0.00s0.00s0.07s0.00s2.90s0.00s2.41s
docker_mtu
resolvconf
git.checkout
0.97s$ git clone --depth=50 https://github.com/psf/requests-html.git psf/requests-html
0.01s0.01s$ source ~/virtualenv/python3.6/bin/activate
$ python --version
Python 3.6.7
$ pip --version
pip 19.0.3 from /home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pip (python 3.6)
install.1
0.61s$ pip install pipenv --upgrade-strategy=only-if-needed
37.24s$ pipenv install --dev
Courtesy Notice: Pipenv found itself running within a virtual environment, so it will automatically use that environment, instead of creating its own for any project. You can set PIPENV_IGNORE_VIRTUALENVS=1 to force pipenv to ignore that environment and create its own instead. You can set PIPENV_VERBOSITY=-1 to suppress this warning.
Installing dependencies from Pipfile.lock (7312a6)…
An error occurred while installing pluggy==0.6.0 --hash=sha256:7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff! Will try again.
================================ 46/46 — 00:00:26
Installing initially failed dependencies…
[pipenv.exceptions.InstallError]: File "/home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pipenv/core.py", line 1874, in do_install
[pipenv.exceptions.InstallError]: keep_outdated=keep_outdated
[pipenv.exceptions.InstallError]: File "/home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pipenv/core.py", line 1253, in do_init
[pipenv.exceptions.InstallError]: pypi_mirror=pypi_mirror,
[pipenv.exceptions.InstallError]: File "/home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pipenv/core.py", line 859, in do_install_dependencies
[pipenv.exceptions.InstallError]: retry_list, procs, failed_deps_queue, requirements_dir, **install_kwargs
[pipenv.exceptions.InstallError]: File "/home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pipenv/core.py", line 763, in batch_install
[pipenv.exceptions.InstallError]: _cleanup_procs(procs, not blocking, failed_deps_queue, retry=retry)
[pipenv.exceptions.InstallError]: File "/home/travis/virtualenv/python3.6.7/lib/python3.6/site-packages/pipenv/core.py", line 681, in _cleanup_procs
[pipenv.exceptions.InstallError]: raise exceptions.InstallError(c.dep.name, extra=err_lines)
[pipenv.exceptions.InstallError]: ['Looking in indexes: https://pypi.python.org/simple', 'Collecting pluggy==0.6.0 (from -r /tmp/pipenv-03jpv10e-requirements/pipenv-3k4kv96o-requirement.txt (line 1))', ' Using cached https://files.pythonhosted.org/packages/ba/65/ded3bc40bbf8d887f262f150fbe1ae6637765b5c9534bd55690ed2c0b0f7/pluggy-0.6.0-py3-none-any.whl']
[pipenv.exceptions.InstallError]: ['THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.', ' pluggy==0.6.0 from https://files.pythonhosted.org/packages/ba/65/ded3bc40bbf8d887f262f150fbe1ae6637765b5c9534bd55690ed2c0b0f7/pluggy-0.6.0-py3-none-any.whl#sha256=e160a7fcf25762bb60efc7e171d4497ff1d8d2d75a3d0df7a21b76821ecbf5c5 (from -r /tmp/pipenv-03jpv10e-requirements/pipenv-3k4kv96o-requirement.txt (line 1)):', ' Expected sha256 7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff', ' Got e160a7fcf25762bb60efc7e171d4497ff1d8d2d75a3d0df7a21b76821ecbf5c5']
ERROR: ERROR: Package installation failed...
$ pipenv --support
Pipenv version: '2018.11.26'
Pipenv location: 'c:\\python38_64\\lib\\site-packages\\pipenv'
Python location: 'c:\\python38_64\\python.exe'
Python installations found:
3.8.0
:C:\Python38_64\python.exe
3.7.4
:C:\Python37\python.exe
3.7.4
:C:\Python37-32\python.exe
3.6.5
:C:\Python36_64\python.exe
2.7
:C:\Python27\python.exe
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.8.0',
'os_name': 'nt',
'platform_machine': 'AMD64',
'platform_python_implementation': 'CPython',
'platform_release': '10',
'platform_system': 'Windows',
'platform_version': '10.0.18362',
'python_full_version': '3.8.0',
'python_version': '3.8',
'sys_platform': 'win32'}
System environment variables:
ALLUSERSPROFILE
ANSICON
ANSICON_DEF
APPDATA
CAMLIBS
CHOCOLATEYINSTALL
CHOCOLATEYLASTPATHUPDATE
COMMONPROGRAMFILES
COMMONPROGRAMFILES(X86)
COMMONPROGRAMW6432
COMPUTERNAME
COMSPEC
CONEMUANSI
CONEMUANSILOG
CONEMUARGS
CONEMUARGS2
CONEMUBACKHWND
CONEMUBASEDIR
CONEMUBUILD
CONEMUCONFIG
CONEMUDIR
CONEMUDRAWHWND
CONEMUDRIVE
CONEMUHOOKS
CONEMUHWND
CONEMUPALETTE
CONEMUPID
CONEMUPROMPT0
CONEMUPROMPT1
CONEMUPROMPT2
CONEMUPROMPT3
CONEMUSERVERPID
CONEMUTASK
CONEMUWORKDIR
CONEMUWORKDRIVE
DRIVERDATA
HOMEDRIVE
HOMEPATH
IOLIBS
LOCALAPPDATA
LOGONSERVER
MAGICK_HOME
MOZ_PLUGIN_PATH
NUMBER_OF_PROCESSORS
ONEDRIVE
ONEDRIVECONSUMER
OS
PATH
PATHEXT
PROCESSOR_ARCHITECTURE
PROCESSOR_IDENTIFIER
PROCESSOR_LEVEL
PROCESSOR_REVISION
PROGRAMDATA
PROGRAMFILES
PROGRAMFILES(X86)
PROGRAMW6432
PROMPT
PSMODULEPATH
PUBLIC
SESSIONNAME
SYSTEMDRIVE
SYSTEMROOT
TEMP
TMP
USERDOMAIN
USERDOMAIN_ROAMINGPROFILE
USERNAME
USERPROFILE
VBOX_MSI_INSTALL_PATH
WINDIR
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED
Pipenvûspecific environment variables:
Debugûspecific environment variables:
PATH
:"C:\Program Files\Tesseract-OCR"\;C:\Program Files\ConEmu\ConEmu\Scripts;C:\Program Files\ConEmu;C:\Program Files\ConEmu\ConEmu;C:\ProgramData\DockerDesktop\version-bin;C:\Program Files\Docker\Docker\Resources\bin;C:\Program Files\ImageMagick-7.0.8-Q16;C:\Program Files (x86)\ImageMagick-7.0.8-Q16-HDRI;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Program Files\ImageMagick-7.0.7-Q16-HDRI;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files\TortoiseGit\bin;C:\Program Files\Git\cmd;C:\Program Files\Calibre2\;C:\Program Files\nodejs\;C:\Program Files\TortoiseSVN\bin;C:\Program Files\TortoiseHg\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\CMake\bin;E:\toolbuild\sK1_Project\UniConvertor-1.1.5\;E:\toolbuild\sK1_Project\UniConvertor-1.1.5\DLLs;C:\Program Files\doxygen\bin;C:\ProgramData\chocolatey\bin;C:\Python38_64\Scripts\;C:\Python38_64\;C:\python36_64\Scripts;C:\python36_64;C:\Users\Gadget\AppData\Local\Microsoft\WindowsApps;C:\Users\Gadget\AppData\Roaming\npm;C:\Users\Gadget\AppData\Local\Programs\MiKTeX 2.9\miktex\bin\x64\;C:\Users\Gadget\AppData\Local\Pandoc\;C:\Program Files (x86)\Nmap;C:\Users\Gadget\AppData\Local\GitHubCLI\bin;C:\Users\Gadget\AppData\Local\Microsoft\WindowsApps;;c:\python38_64\lib\site-packages\pywin32_system32
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (2 by maintainers)
Top GitHub Comments
Thanks @rmbrad , so I can conclude that this issue was not caused by Pipenv.
Any more thoughts @GadgetSteve ?
@dimaqq Thanks
I believe current versions of Pipenv should store hashes for all versions/platforms.
Yeah, I’m pretty sure this is the case. The Pipfile.lock was last updated March 21, 2018, the wheels were added to PyPi on April 15, 2018.