Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pipenv Lock (Or Install) Does Not Respect Index Specified For A Package

See original GitHub issue

Issue description

Index argument for a package is not respected

Expected result

Pipenv only installs (locks) versions from specified package index.

Actual result

Pipenv installs (locks) the package with greatest version from a package index not specified in the Pipfile.

Steps to replicate

Run the following script:

#! /usr/bin/env bash

set -euxo pipefail


function finish {
  set +e

  kill -9 ${PYPI_SERVER1_PID} || true
  kill -9 ${PYPI_SERVER2_PID} || true
}

trap finish EXIT

cat > example.py <<EOF
import pkg_resources

def main():
    print(pkg_resources.get_distribution('example'))
EOF

cat > setup.py <<EOF
import os

import setuptools

setuptools.setup(
    name='example',
    version=os.environ['EXAMPLE_VERSION'],
    description='Example package',
    py_modules=['example'],
    python_requires='>=3.6',
    entry_points={
        'console_scripts': [
            'show-installed-package = example:main',
        ],
    },
)
EOF

EXAMPLE_VERSION=1 python setup.py bdist_wheel
EXAMPLE_VERSION=2 python setup.py bdist_wheel

python -m venv venv
venv/bin/pip install pypiserver

mkdir -p server1 server2
cp dist/example-1-py3-none-any.whl server1/
cp dist/example-2-py3-none-any.whl server2/

function run_pypi_server() {
  venv/bin/pypi-server \
    -p 808${1} \
    -i 127.0.0.1 \
    server${1}/ 2> pypi-server${1}.log &
}

run_pypi_server 1
PYPI_SERVER1_PID=$!

run_pypi_server 2
PYPI_SERVER2_PID=$!

rm -f Pipfile.lock

cat > Pipfile <<EOF
[[source]]
url = "http://127.0.0.1:8081"
name = "server1"

[[source]]
url = "http://127.0.0.1:8082"
name = "server2"

[packages]
example = {version="*", index="server1"}

[dev-packages]

[requires]
python_version = "$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"
EOF

pipenv lock
pipenv sync
pipenv run show-installed-package

The script creates two versions of example Python packge (version 1 and 2). Then it starts pypi server; server 1 contains example version 1 and server 2 contains example version 2.

The Pipfile states that example package of any version should be installed from index server1 (that contains only version 1 of example package).

The result is that version 2 of example package is installed (from server 2)

Documentation (https://pipenv.pypa.io/en/latest/advanced/#specifying-package-indexes) states:

If you’d like a specific package to be installed with a specific package index, you can do the following:

$ pipenv --support

Pipenv version: '2020.11.15'

Pipenv location: '/usr/lib/python3.9/site-packages/pipenv'

Python location: '/usr/bin/python'

Python installations found:

3.9.2: /usr/bin/python3.9
3.9.2: /usr/bin/python3
3.7.9: /usr/bin/pypy3
2.7.18: /usr/bin/python2.7
2.7.18: /usr/bin/python2

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.9.2',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '5.11.1-arch1-1',
 'platform_system': 'Linux',
 'platform_version': '#1 SMP PREEMPT Tue, 23 Feb 2021 14:05:30 +0000',
 'python_full_version': '3.9.2',
 'python_version': '3.9',
 'sys_platform': 'linux'}

System environment variables:

SHELL
SESSION_MANAGER
WINDOWID
QT_SCREEN_SCALE_FACTORS
COLORTERM
XDG_SESSION_PATH
HISTCONTROL
TMUX
HISTSIZE
LANGUAGE
LC_ADDRESS
LC_NAME
SSH_AUTH_SOCK
HISTTIMEFORMAT
SHELL_SESSION_ID
DESKTOP_SESSION
LC_MONETARY
SSH_AGENT_PID
GTK_RC_FILES
XCURSOR_SIZE
CLOUDSDK_PYTHON_ARGS
EDITOR
GTK_MODULES
XDG_SEAT
PWD
XDG_SESSION_DESKTOP
LOGNAME
XDG_SESSION_TYPE
XAUTHORITY
MOTD_SHOWN
GTK2_RC_FILES
HOME
LC_PAPER
LANG
HISTFILE
XDG_CURRENT_DESKTOP
KONSOLE_DBUS_SERVICE
CLOUDSDK_ROOT_DIR
KONSOLE_DBUS_SESSION
PROFILEHOME
XDG_SEAT_PATH
KONSOLE_VERSION
KDE_SESSION_UID
CLOUDSDK_PYTHON
XDG_SESSION_CLASS
TERM
LC_IDENTIFICATION
GOOGLE_CLOUD_SDK_HOME
USER
TMUX_PANE
COLORFGBG
KDE_SESSION_VERSION
PAM_KWALLET5_LOGIN
VISUAL
DISPLAY
SHLVL
LC_TELEPHONE
LC_MESSAGES
LC_MEASUREMENT
XDG_VTNR
XDG_SESSION_ID
MOZ_PLUGIN_PATH
LC_CTYPE
XDG_RUNTIME_DIR
LC_TIME
QT_AUTO_SCREEN_SCALE_FACTOR
LC_COLLATE
XCURSOR_THEME
KDE_FULL_SESSION
PATH
HISTFILESIZE
DBUS_SESSION_BUS_ADDRESS
KDE_APPLICATIONS_AS_SCOPE
HG
MAIL
LC_NUMERIC
OLDPWD
_
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

PATH: /home/janne/bin:/usr/lib/colorgcc/bin:/opt/google-cloud-sdk/bin:/home/janne/bin:/usr/lib/colorgcc/bin:/home/janne/bin:/usr/lib/colorgcc/bin:/opt/google-cloud-sdk/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/jvm/default/bin
SHELL: /bin/bash
EDITOR: vim
LANG: en_US.UTF-8
PWD: /home/janne/tmp/pipenvbug

Contents of Pipfile (‘/home/janne/tmp/pipenvbug/Pipfile’):

[[source]]
url = "http://127.0.0.1:8081"
name = "server1"

[[source]]
url = "http://127.0.0.1:8082"
name = "server2"

[packages]
example = {version="*", index="server1"}

[dev-packages]

[requires]
python_version = "3.9"

Contents of Pipfile.lock (‘/home/janne/tmp/pipenvbug/Pipfile.lock’):

{
    "_meta": {
        "hash": {
            "sha256": "78e9f526b9a5f7eda8ccc51a8927df178ce4b229e58f42dfa0c4de8ad2b9b07e"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.9"
        },
        "sources": [
            {
                "name": "server1",
                "url": "http://127.0.0.1:8081"
            },
            {
                "name": "server2",
                "url": "http://127.0.0.1:8082"
            }
        ]
    },
    "default": {
        "example": {
            "hashes": [
                "sha256:77b20dfead4f4754da288294f2be8730c70c6835c4e654f0bf4c27905c462cfa"
            ],
            "index": "server1",
            "version": "==2"
        }
    },
    "develop": {}
}

Issue Analytics

State:
Created 3 years ago
Reactions:8
Comments:14

Top GitHub Comments

2reactions

matteiuscommented, Mar 23, 2022

2022.3.23 has been released!

2reactions

reinvantveercommented, Mar 14, 2022

@matteius Thanks for taking the time to do this, I do believe this could fix a serious security issue!

Top Results From Across the Web

Frequently Encountered Pipenv Problems - Read the Docs

☤ Pipenv does not respect pyenv's global and local Python versions. Pipenv by default uses the Python it is installed against to create...

pipenv Documentation

Pipenv will install version 1.2 and any minor update, but not 2.0. ... Pip to fix: Pipenv Lock (Or Install) Does Not Respect...

Pipenv - Python Packaging Authority

Pipenv Features¶ ; Generates and checks file hashes for locked dependencies when installing from Pipfile.lock . ; Automatically install required Python version ...

How to install PyTorch with pipenv and save it to Pipfile ...

The best solution is to specify pytorch's "https://download.pytorch.org/whl/" URLs as an alternative package index, by adding it as a [[source]] ...

Resolver's experimental features

Note you can specify Python package index to be used per dependency, see Pipenv configuration. Also note, Pipenv does not enforce this configuration...