pipenv lock --keep-outdated updates subdependencies
See original GitHub issueIssue description
pipenv lock --keep-outdated
updates versions of subdependencies despite the --keep-outdated
flag.
Example: Pipfile contains python-dateutils
which has six
as a dependency. If a newer version of six
is available it will be put into Pipfile.lock by pipenv lock --keep-outdated
.
Expected result
When used with --keep-outdated
, pipenv lock uses the currently installed versions without doing any updates.
Actual result
Pipenv lock puts newer versions of subdependencies into Pipfile.lock.
Steps to replicate
- Put this Pipfile into an empty folder
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[packages]
python-dateutil = "==2.7"
six = "==1.5"
[requires]
python_version = "3.7"
- pipenv install
- Pipfile.lock will contain `six = ‘==1.5’
- delete the line `six = ‘==1.5’ from the Pipfile (this simulates a release of a newer version of a subdependency)
- pipenv lock --keep-outdated
- Pipfile.lock will now contain
six = '==1.12'
.
This issue seems to apply only to subdependencsies: If you specify “*” for python-dateutil in the Pipfile, pipenv lock --keep-outdated
will (correctly) refrain from updating python-dateutil
.
$ pipenv --support
Pipenv version: '2018.11.15.dev0'
Pipenv location: '/usr/lib/python3.7/site-packages/pipenv'
Python location: '/usr/bin/python'
Python installations found:
3.7.4
:/usr/bin/python3
3.7.4
:/usr/bin/python3.7m
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.7.4',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_system': 'Linux',
'python_full_version': '3.7.4',
'python_version': '3.7',
'sys_platform': 'linux'}
System environment variables:
Pipenv–specific environment variables:
Debug–specific environment variables:
Contents of Pipfile
(‘/home/martin/temp/piptest/Pipfile’):
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[packages]
python-dateutil = "==2.7"
[requires]
python_version = "3.7"
Contents of Pipfile.lock
(‘/home/martin/temp/piptest/Pipfile.lock’):
{
"_meta": {
"hash": {
"sha256": "458ffc4c79d86d5ffe6888bcc057e0dfdf5ef89c0728cd0ea600dfebb33042dd"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.7"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"python-dateutil": {
"hashes": [
"sha256:07009062406cffd554a9b4135cd2ff167c9bf6b7aac61fe946c93e69fad1bbd8",
"sha256:8f95bb7e6edbb2456a51a1fb58c8dca942024b4f5844cae62c90aa88afe6e300"
],
"index": "pypi",
"version": "==2.7"
},
"six": {
"hashes": [
"sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
"sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
],
"version": "==1.12.0"
}
},
"develop": {}
}
Issue Analytics
- State:
- Created 4 years ago
- Reactions:11
- Comments:12 (1 by maintainers)
Top GitHub Comments
I think this is the point of disagreement. The only time I expect it to resolve a version is when there is no existing lock file or the existing lock file entry does not satisfy an updated entry in the Pipfile. The request for this issue was to make it possible to make the minimal updates to satisfy the Pipfile, while keeping everything that already does satisfy unchanged.
The goal of
lock
is to generate aPipfile.lock
so that the current environment (working, hopefully) can be reproduced later. Ideally, this would generate a lock file that reflects the current state of installed packages by looking at what is actually installed right now. Nothing should be installed or upgraded unless it’s currently missing entirely and therefore needs to be resolved.The workflow that is still challenging is going from a Pipfile with semver ranges to a Pipfile.lock that pins the particular versions installed now, and it should be possible to selectively upgrade some dependencies and transitive dependencies and to cement those changes in the lock file without having other things updated unexpectedly.