Renovate: Support pipenv lock file maintenance

First user would be @fahrradflucht who is using the hosted GitLab app

I would be willing to test Pipenv lock file support as well for one of my projects. I just need to enable Renovate's Pipenv support in my configuration.

(I recently began exploring Pipenv to support an automated release strategy for Python library developers. Given this comment, I may be interested in exploring that as well).

I’m also greatly interested in Pipfile.lock maintenance.

As I see it, many projects I see out there currently set the pinned release in Pipfile to "*", and then do dependency point-upgrades by pipenv sync. If we could use renovate to automate that process, and give us PRs for updates of both dependencies and dependency-dependencies by supporting Pipfile.lock, too — that would make the lives of many projects and developers much easier ^_^.

Thanks for this great project :+1: .

The logic is still a bit hardcoded for npm/yarn/pnpm so I need to think a bit about how best to extract it out generically for composer, pipenv, etc.

Thanks for considering it, and thinking about the architectural choices!

One thing I’m not sure about yet, though, is if I understand lockfile maintenance as renovate does it correct: Could it cover the usecase I described above, i.E. the actual pinning happening in the lockfile instead of the dependency-declaring-file — and the dependency-declaring-file would allow all versions, except for cases with known breakage or incompatabilities?

Thanks!
-Dario

Lock file maintenance simply recreates the lock file from scratch, ensuring that it's completely refreshed regularly and versions are not held back. This means that the Pipfile can contain loose ranges

What's the status of this issue given the comments in #5117? Should updating Pipfile.lock work even when there's no changes in the Pipfile itself?

For our project, Renovate did not update the Pipfile.lock (see https://github.com/projectsyn/commodore/pull/29), even though we've explicitly enabled pipenv support in renovate.json.

@simu in Renovate terms, "lock file maintenance" is short for "deleting the lock file and locking dependencies again to ensure the very latest of everything". I'm not sure to what you're referring to though, because I see an updated Pipfile.lock in the PR you link to.

@rarkins yes, in projectsyn/commodore#29 there's an updated Pipfile.lock which I had to push manually in a second commit. Renovate only updated the requirements.txt.

The same issue I described in the previous comment can be seen in e.g. https://github.com/projectsyn/commodore/pull/30: Renovate updated boto3 to v1.12.0 in requirements.txt, but as far as I can tell pipenv lock was not executed. (Renovate job log #141530923)

I missed that detail, thanks. I also thought Pipenv only uses Pipfile. This is a new requirement if so - can you create a new feature request in this repo with as much documentation / description as possible?

Loose'ish pins in Pipfile and hard pins for only whats needed. Thats how we use pipenv at least. Would love to see this added.

The logic would basically be to run pipenv update --dry-run and see if it does anything or run pipenv update and do a diff of before/after of pipfile.lock.

The logic is still a bit hardcoded for npm/yarn/pnpm so I need to think a bit about how best to extract it out generically for composer, pipenv, etc.

Hey @rarkins,
Seems you were thinking about it around the same time https://github.com/renovatebot/renovate/pull/5400 was merged.
Would a similar change for pipenv be considered? Or would it be not accepted, pending architectural change?

@ps-jay I think we're ready for pipenv lockFileMaintenance now :)

Nice!

I'll see if I can get a contribution done by myself or one of my team mates.

I think #6036 would help here too

:tada: This issue has been resolved in version 19.225.0 :tada:

The release is available on:

• GitHub release
• 19.225.0

Your semantic-release bot :package::rocket: