Pipenv Lock (Or Install) Does Not Respect Index Specified For A Package
See original GitHub issueIssue description
Index argument for a package is not respected
Expected result
Pipenv only installs (locks) versions from specified package index.
Actual result
Pipenv installs (locks) the package with greatest version from a package index not specified in the Pipfile.
Steps to replicate
Run the following script:
#! /usr/bin/env bash
set -euxo pipefail
function finish {
set +e
kill -9 ${PYPI_SERVER1_PID} || true
kill -9 ${PYPI_SERVER2_PID} || true
}
trap finish EXIT
cat > example.py <<EOF
import pkg_resources
def main():
print(pkg_resources.get_distribution('example'))
EOF
cat > setup.py <<EOF
import os
import setuptools
setuptools.setup(
name='example',
version=os.environ['EXAMPLE_VERSION'],
description='Example package',
py_modules=['example'],
python_requires='>=3.6',
entry_points={
'console_scripts': [
'show-installed-package = example:main',
],
},
)
EOF
EXAMPLE_VERSION=1 python setup.py bdist_wheel
EXAMPLE_VERSION=2 python setup.py bdist_wheel
python -m venv venv
venv/bin/pip install pypiserver
mkdir -p server1 server2
cp dist/example-1-py3-none-any.whl server1/
cp dist/example-2-py3-none-any.whl server2/
function run_pypi_server() {
venv/bin/pypi-server \
-p 808${1} \
-i 127.0.0.1 \
server${1}/ 2> pypi-server${1}.log &
}
run_pypi_server 1
PYPI_SERVER1_PID=$!
run_pypi_server 2
PYPI_SERVER2_PID=$!
rm -f Pipfile.lock
cat > Pipfile <<EOF
[[source]]
url = "http://127.0.0.1:8081"
name = "server1"
[[source]]
url = "http://127.0.0.1:8082"
name = "server2"
[packages]
example = {version="*", index="server1"}
[dev-packages]
[requires]
python_version = "$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"
EOF
pipenv lock
pipenv sync
pipenv run show-installed-package
The script creates two versions of example Python packge (version 1 and 2). Then it starts pypi server; server 1 contains example version 1 and server 2 contains example version 2.
The Pipfile states that example package of any version should be installed from index server1 (that contains only version 1 of example package).
The result is that version 2 of example package is installed (from server 2)
Documentation (https://pipenv.pypa.io/en/latest/advanced/#specifying-package-indexes) states:
If you’d like a specific package to be installed with a specific package index, you can do the following:
$ pipenv --support
Pipenv version: '2020.11.15'
Pipenv location: '/usr/lib/python3.9/site-packages/pipenv'
Python location: '/usr/bin/python'
Python installations found:
3.9.2
:/usr/bin/python3.9
3.9.2
:/usr/bin/python3
3.7.9
:/usr/bin/pypy3
2.7.18
:/usr/bin/python2.7
2.7.18
:/usr/bin/python2
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.9.2',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '5.11.1-arch1-1',
'platform_system': 'Linux',
'platform_version': '#1 SMP PREEMPT Tue, 23 Feb 2021 14:05:30 +0000',
'python_full_version': '3.9.2',
'python_version': '3.9',
'sys_platform': 'linux'}
System environment variables:
SHELL
SESSION_MANAGER
WINDOWID
QT_SCREEN_SCALE_FACTORS
COLORTERM
XDG_SESSION_PATH
HISTCONTROL
TMUX
HISTSIZE
LANGUAGE
LC_ADDRESS
LC_NAME
SSH_AUTH_SOCK
HISTTIMEFORMAT
SHELL_SESSION_ID
DESKTOP_SESSION
LC_MONETARY
SSH_AGENT_PID
GTK_RC_FILES
XCURSOR_SIZE
CLOUDSDK_PYTHON_ARGS
EDITOR
GTK_MODULES
XDG_SEAT
PWD
XDG_SESSION_DESKTOP
LOGNAME
XDG_SESSION_TYPE
XAUTHORITY
MOTD_SHOWN
GTK2_RC_FILES
HOME
LC_PAPER
LANG
HISTFILE
XDG_CURRENT_DESKTOP
KONSOLE_DBUS_SERVICE
CLOUDSDK_ROOT_DIR
KONSOLE_DBUS_SESSION
PROFILEHOME
XDG_SEAT_PATH
KONSOLE_VERSION
KDE_SESSION_UID
CLOUDSDK_PYTHON
XDG_SESSION_CLASS
TERM
LC_IDENTIFICATION
GOOGLE_CLOUD_SDK_HOME
USER
TMUX_PANE
COLORFGBG
KDE_SESSION_VERSION
PAM_KWALLET5_LOGIN
VISUAL
DISPLAY
SHLVL
LC_TELEPHONE
LC_MESSAGES
LC_MEASUREMENT
XDG_VTNR
XDG_SESSION_ID
MOZ_PLUGIN_PATH
LC_CTYPE
XDG_RUNTIME_DIR
LC_TIME
QT_AUTO_SCREEN_SCALE_FACTOR
LC_COLLATE
XCURSOR_THEME
KDE_FULL_SESSION
PATH
HISTFILESIZE
DBUS_SESSION_BUS_ADDRESS
KDE_APPLICATIONS_AS_SCOPE
HG
MAIL
LC_NUMERIC
OLDPWD
_
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
Debug–specific environment variables:
PATH
:/home/janne/bin:/usr/lib/colorgcc/bin:/opt/google-cloud-sdk/bin:/home/janne/bin:/usr/lib/colorgcc/bin:/home/janne/bin:/usr/lib/colorgcc/bin:/opt/google-cloud-sdk/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/lib/jvm/default/bin
SHELL
:/bin/bash
EDITOR
:vim
LANG
:en_US.UTF-8
PWD
:/home/janne/tmp/pipenvbug
Contents of Pipfile
(‘/home/janne/tmp/pipenvbug/Pipfile’):
[[source]]
url = "http://127.0.0.1:8081"
name = "server1"
[[source]]
url = "http://127.0.0.1:8082"
name = "server2"
[packages]
example = {version="*", index="server1"}
[dev-packages]
[requires]
python_version = "3.9"
Contents of Pipfile.lock
(‘/home/janne/tmp/pipenvbug/Pipfile.lock’):
{
"_meta": {
"hash": {
"sha256": "78e9f526b9a5f7eda8ccc51a8927df178ce4b229e58f42dfa0c4de8ad2b9b07e"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.9"
},
"sources": [
{
"name": "server1",
"url": "http://127.0.0.1:8081"
},
{
"name": "server2",
"url": "http://127.0.0.1:8082"
}
]
},
"default": {
"example": {
"hashes": [
"sha256:77b20dfead4f4754da288294f2be8730c70c6835c4e654f0bf4c27905c462cfa"
],
"index": "server1",
"version": "==2"
}
},
"develop": {}
}
Issue Analytics
- State:
- Created 3 years ago
- Reactions:8
- Comments:14
Top GitHub Comments
2022.3.23
has been released!@matteius Thanks for taking the time to do this, I do believe this could fix a serious security issue!