pipenv icon indicating copy to clipboard operation
pipenv copied to clipboard

Published 20 hours ago verified publisher icon pypa

How do you see the delta between two Pipfile.lock files?

Open ddahan opened this issue 7 years ago • 4 comments

I just pipenv update my project and would like to know exactly what packages have been updated. What is the recommand way to do that?

What I would expect to

I would expect something like this exist:

$ pipenv diff Pipfile1.lock Pipfile2.lock
> The following packages changed:
package1: old: 6.20, new: 6.21
package2: old: 3.2, new: 3.3

As Pipfile.lock file is really easy to parse (JSON), I would not be surprised if something like this already exist and I just missed it.

What I tried so far

  • Making a unix diff between the old Pipfile.lock and the new one does not really work, because you don't see the name of the package that changes in the output.
  • Running pipenv graph before running pipenv update and saving the output to a file, for comparing them later. It kind of works, but the whole process is a bit complicated. Plus, if you forget to save the result of pipenv graph before updating, it's too late.

EDIT

I made a very simple script to handle that: https://gist.github.com/ddahan/215472a4aa1805160aba0a77902e40da

Usage example:
$ /usr/local/bin/python3.6 pipenvdiff.py Pipfile.inprod.lock Pipfile.current.lock

django-cors-headers: 2.3.0 -> 2.4.0
django-extensions: 2.0.7 -> 2.1.0
faker: 0.8.16 -> 0.8.17
ipython: 6.4.0 -> 6.5.0
lxml: 4.2.3 -> 4.2.4
openpyxl: 2.5.4 -> 2.5.5
parso: 0.3.0 -> 0.3.1
stripe: 1.84.1 -> 2.4.0

ddahan avatar Aug 06 '18 10:08 ddahan

There is also pipenv update --outdated, but that only applies for top-level dependencies (i.e. those you specify in Pipfile).

This is definitely intriguing, and I can definitely find use of this in my own workflow 🤔 Something like pipenv update --dry-run might be good as well[1]; it can do the whole locking process, but instead of writing to Pipfile.lock, it can show a list to indicate what entries in Pipfile.lock would change.

[1]: This option is already present, but the current behaviour is identical to --outdated.

uranusjr avatar Aug 06 '18 11:08 uranusjr

@uranusjr But even with pipenv update --outdated, since you update your Pipfile.lock after running the command, you have no guarantee that your new Pipfile.lock will contain exactly what was listed in pipenv update --outdated output.

For me, the only way to be 100% sure of the installed packages are to compare the Pipfile.lock files. For now, I'm happy with my simple script, but I hope this could be integrated in pipenv project.

ddahan avatar Aug 06 '18 12:08 ddahan

The fact that you do the update after you check isn’t really relevant. Things you get from pypi are cached and I don’t really foresee us designing around a theoretical edge case which I don’t think really occurs much, if ever. Outdated can and should check more than just the Pipfile though I definitely agree.

techalchemy avatar Aug 06 '18 13:08 techalchemy

would be great to have a version of this script that leverages git to list the changes.

lsmith77 avatar Jul 12 '22 15:07 lsmith77

I believe most folks check their Pipfile.lock into source control and see the deltas on PRs.

matteius avatar Sep 03 '22 12:09 matteius