pipenv incorrectly resolves dev-dependencies
When installing dev dependencies some packages receive wrong versions.
These packages seem to ignore constraints defined in Pipfile.
Describe your environment
- OS Type: macos, 10.11.6
- Python version:
$ python -V, 3.6.2 - Pipenv version:
$ pipenv --version, 9.0.1
Expected result
I expect that django==1.11 will be installed.
Actual result
django==2.0 is installed.
Steps to replicate
Pipfile
[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
[requires]
python_version = '3.6'
[dev-packages]
django-debug-toolbar = "*"
[packages]
django = "<1.12"
Pipfile.lock
{
"_meta": {
"hash": {
"sha256": "b802355565a0f9e930143694c9133a2693b413a900600db3683a82a2406fed7a"
},
"host-environment-markers": {
"implementation_name": "cpython",
"implementation_version": "3.6.2",
"os_name": "posix",
"platform_machine": "x86_64",
"platform_python_implementation": "CPython",
"platform_release": "15.6.0",
"platform_system": "Darwin",
"platform_version": "Darwin Kernel Version 15.6.0: Fri Feb 17 10:21:18 PST 2017; root:xnu-3248.60.11.4.1~1/RELEASE_X86_64",
"python_full_version": "3.6.2",
"python_version": "3.6",
"sys_platform": "darwin"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.6"
},
"sources": [
{
"url": "https://pypi.python.org/simple",
"verify_ssl": true
}
]
},
"default": {
"django": {
"hashes": [
"sha256:fad46f44f6f4de66aacaa92e7753dbc4fe3ae834aa2daffaca0bf16c64798186",
"sha256:fed3e79bb5a3a8d5eb054c7a1ec1de229ef3f43335a67821cc3e489e9582f711"
],
"version": "==1.11.8"
},
"pytz": {
"hashes": [
"sha256:80af0f3008046b9975242012a985f04c5df1f01eed4ec1633d56cc47a75a6a48",
"sha256:feb2365914948b8620347784b6b6da356f31c9d03560259070b2f30cff3d469d",
"sha256:59707844a9825589878236ff2f4e0dc9958511b7ffaae94dc615da07d4a68d33",
"sha256:d0ef5ef55ed3d37854320d4926b04a4cb42a2e88f71da9ddfdacfde8e364f027",
"sha256:c41c62827ce9cafacd6f2f7018e4f83a6f1986e87bfd000b8cfbd4ab5da95f1a",
"sha256:8cc90340159b5d7ced6f2ba77694d946fc975b09f1a51d93f3ce3bb399396f94",
"sha256:dd2e4ca6ce3785c8dd342d1853dd9052b19290d5bf66060846e5dc6b8d6667f7",
"sha256:699d18a2a56f19ee5698ab1123bbcc1d269d061996aeb1eda6d89248d3542b82",
"sha256:fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7"
],
"version": "==2017.3"
}
},
"develop": {
"django": {
"hashes": [
"sha256:af18618ce3291be5092893d8522fe3919661bf3a1fb60e3858ae74865a4f07c2",
"sha256:9614851d4a7ff8cbd32b73c6076441f377c45a5bbff7e771798fb02c43c31f47"
],
"version": "==2.0"
},
"django-debug-toolbar": {
"hashes": [
"sha256:4af2a4e1e932dadbda197b18585962d4fc20172b4e5a479490bc659fe998864d",
"sha256:d9ea75659f76d8f1e3eb8f390b47fc5bad0908d949c34a8a3c4c87978eb40a0f"
],
"version": "==1.9.1"
},
"pytz": {
"hashes": [
"sha256:80af0f3008046b9975242012a985f04c5df1f01eed4ec1633d56cc47a75a6a48",
"sha256:feb2365914948b8620347784b6b6da356f31c9d03560259070b2f30cff3d469d",
"sha256:59707844a9825589878236ff2f4e0dc9958511b7ffaae94dc615da07d4a68d33",
"sha256:d0ef5ef55ed3d37854320d4926b04a4cb42a2e88f71da9ddfdacfde8e364f027",
"sha256:c41c62827ce9cafacd6f2f7018e4f83a6f1986e87bfd000b8cfbd4ab5da95f1a",
"sha256:8cc90340159b5d7ced6f2ba77694d946fc975b09f1a51d93f3ce3bb399396f94",
"sha256:dd2e4ca6ce3785c8dd342d1853dd9052b19290d5bf66060846e5dc6b8d6667f7",
"sha256:699d18a2a56f19ee5698ab1123bbcc1d269d061996aeb1eda6d89248d3542b82",
"sha256:fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7"
],
"version": "==2017.3"
},
"sqlparse": {
"hashes": [
"sha256:d9cf190f51cbb26da0412247dfe4fb5f4098edb73db84e02f9fc21fdca31fed4",
"sha256:ce028444cfab83be538752a2ffdb56bc417b7784ff35bb9a3062413717807dec"
],
"version": "==0.2.4"
}
}
}
Now, run pipenv install --dev.
And pip freeze just to be sure:
» pipenv run pip freeze
Django==2.0
django-debug-toolbar==1.9.1
pytz==2017.3
sqlparse==0.2.4
As you can see django==2.0 violates my constraint django<1.12.
sobolevn
All 10 comments
this is a known bug —Â
kennethreitz42
on 19 Dec 2017
I would lean toward https://github.com/pypa/pipenv/issues/1177#issuecomment-352777133 as a solution
techalchemy
on 22 Dec 2017
@kennethreitz,
Is there a workaround until a release is made to fix this issue?
epicserve
on 2 Jan 2018
Current workaround is to repeat production dependencies in dev-packages. I think discussion is happening in #1255.
uranusjr
on 2 Jan 2018
I've thrown together a script to help detect conflicting versions between the different sections of Pipfile.lock: https://gist.github.com/ovidner/d01661ded87df226334b14fa8f9e69d1
It's not that pretty, but it works. :)
ovidner
on 4 Jan 2018
Another side effect of this that I noticed in #1342 is that pipenv install --dev will install a different version of the dependency (Django in this issue, Flask in mine) depending on how many times the command is run. Also, running pipenv graph with a Pipfile as described in these two issues will not show Django/Flask as top-level dependencies, even though they are listed specifically, and are only shown if they are a sub-dependency of another package.
In my mind, the dev packages section is meant to be complimentary/additive to the dependencies in the main section, not alternative set of dependencies. Therefore, I think that @techalchemy's suggestion of a flat Pipfile.lock makes the most sense.
joshfriend
on 24 Jan 2018
fixed
kennethreitz42
on 24 Feb 2018
Pro-tip: You may still encounter this bug after upgrading if your lockfile was generated before the fix. Removing then creating a new lockfile with an updated Pipenv fixes the issue for me.
Alphare
on 16 Mar 2018
Where was this fixed? I'm experiencing the issue with:
python -V, 2.7.13
pipenv --version, 2018.11.26
mikemahony
on 29 Nov 2018
I also still have this problem with pipenv 2018.11.26 and Python 3.7.2 on Linux.
jkleint
on 17 Apr 2019
Related issues
randName
·
3Comments
Californian
·
3Comments
leileigong
·
3Comments
hynek
·
3Comments
jeyraof
·
3Comments
Most helpful comment
fixed