pipenv
pipenv copied to clipboard
pypa
Pipenv installs spurious dependencies
Issue description
When installing any version of Django < 3.0 as a dependency and django-debug-toolbar as a dev dependency, pipenv lock determines that asgiref is a required package when it in fact is not.
Expected result
$ pipenv graph
django-debug-toolbar==2.2
- Django [required: >=1.11, installed: 2.2.13]
- pytz [required: Any, installed: 2020.1]
- sqlparse [required: Any, installed: 0.3.1]
- sqlparse [required: >=0.2.0, installed: 0.3.1]
Actual result
$ pipenv graph
asgiref==3.2.10
django-debug-toolbar==2.2
- Django [required: >=1.11, installed: 2.2.13]
- pytz [required: Any, installed: 2020.1]
- sqlparse [required: Any, installed: 0.3.1]
- sqlparse [required: >=0.2.0, installed: 0.3.1]
Steps to replicate
In a new project, run the following commands:
$ pipenv install 'Django<3.0'
$ pipenv install --dev django-debug-toolbar
$ pipenv --support
Pipenv version: '2020.6.2'
Pipenv location: '/usr/local/Cellar/pipenv/2020.6.2/libexec/lib/python3.8/site-packages/pipenv'
Python location: '/usr/local/Cellar/pipenv/2020.6.2/libexec/bin/python3.8'
Python installations found:
3.8.0:/Users/jmorris/.pyenv/versions/3.8.0/bin/python33.7.7:/usr/local/bin/python33.7.7:/usr/local/bin/python3.7m3.7.7:/usr/local/bin/python3.73.6.8:/Users/jmorris/.pyenv/versions/3.6.8/bin/python33.5.9:/Users/jmorris/.pyenv/versions/3.5.9/bin/python33.5.1:/Users/jmorris/.pyenv/versions/3.5.1/bin/python32.7.18:/Users/jmorris/.pyenv/versions/2.7.18/bin/python22.7.17:/usr/local/bin/python22.7.17:/usr/local/bin/python2.72.7.16:/usr/bin/python2.7
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.8.3',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '18.7.0',
'platform_system': 'Darwin',
'platform_version': 'Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT '
'2020; root:xnu-4903.278.35~1/RELEASE_X86_64',
'python_full_version': '3.8.3',
'python_version': '3.8',
'sys_platform': 'darwin'}
System environment variables:
PATHTERM_PROGRAMTERMSHELLTMPDIRApple_PubSub_Socket_RenderTERM_PROGRAM_VERSIONTERM_SESSION_IDUSERSSH_AUTH_SOCK__CF_USER_TEXT_ENCODINGPWDEDITORLANGITERM_PROFILEXPC_FLAGSXPC_SERVICE_NAMESHLVLPYENV_SHELLHOMECOLORFGBGLC_TERMINAL_VERSIONITERM_SESSION_IDLOGNAMELESSLESSOPENLC_TERMINALCOLORTERMPIP_DISABLE_PIP_VERSION_CHECKPYTHONDONTWRITEBYTECODEPIP_SHIMS_BASE_MODULEPIP_PYTHON_PATHPYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
Debug–specific environment variables:
PATH:/usr/local/Cellar/pipenv/2020.6.2/libexec/tools:/Users/jmorris/.pyenv/shims:/Users/jmorris/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/MacGPG2/bin:/Applications/Wireshark.app/Contents/MacOSSHELL:/usr/local/bin/fishEDITOR:vimLANG:en_US.UTF-8PWD:/tmp/lol
Contents of Pipfile ('/private/tmp/lol/Pipfile'):
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
django-debug-toolbar = "*"
[packages]
django = "<3.0"
[requires]
python_version = "3.8"
Contents of Pipfile.lock ('/private/tmp/lol/Pipfile.lock'):
{
"_meta": {
"hash": {
"sha256": "5e37dff5e53a743305538fdd5fb9da0dbe7eea0521b520e50a56ee191050c830"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.8"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"django": {
"hashes": [
"sha256:84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80",
"sha256:e8fe3c2b2212dce6126becab7a693157f1a441a07b62ec994c046c76af5bb66d"
],
"index": "pypi",
"version": "==2.2.13"
},
"pytz": {
"hashes": [
"sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
"sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
],
"version": "==2020.1"
},
"sqlparse": {
"hashes": [
"sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
"sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.3.1"
}
},
"develop": {
"asgiref": {
"hashes": [
"sha256:7e51911ee147dd685c3c8b805c0ad0cb58d360987b56953878f8c06d2d1c6f1a",
"sha256:9fc6fb5d39b8af147ba40765234fa822b39818b12cc80b35ad9b0cef3a476aed"
],
"markers": "python_version >= '3.5'",
"version": "==3.2.10"
},
"django": {
"hashes": [
"sha256:84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80",
"sha256:e8fe3c2b2212dce6126becab7a693157f1a441a07b62ec994c046c76af5bb66d"
],
"index": "pypi",
"version": "==2.2.13"
},
"django-debug-toolbar": {
"hashes": [
"sha256:eabbefe89881bbe4ca7c980ff102e3c35c8e8ad6eb725041f538988f2f39a943",
"sha256:ff94725e7aae74b133d0599b9bf89bd4eb8f5d2c964106e61d11750228c8774c"
],
"index": "pypi",
"version": "==2.2"
},
"pytz": {
"hashes": [
"sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
"sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
],
"version": "==2020.1"
},
"sqlparse": {
"hashes": [
"sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
"sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==0.3.1"
}
}
}
Not sure why it ends up at the top-level, but django does require asgiref in setup.cfg: https://github.com/django/django/blob/197b55c53469cf8344d1ba35175236780cb83bd1/setup.cfg#L43-L46
Yes, Django started requiring asgiref in Django 3. If you look at the requirements for Django 2.2.x, asgiref is absent:
https://github.com/django/django/blob/stable/2.2.x/setup.py#L86
The linked #4455 provides more context: The packages that are being installed are future dependencies; that is, dependencies of later versions of packages that --keep-outdated is, well, keeping outdated. They shouldn't even enter into the dependency tree if their parent package is being held back.
This is still a problem in pipenv 2022.1.8.
@GPHemsley-RELX Can you check if it is still a problem in my branch that upgrades to latest pip? Branch is vendor-pip-22.0.3-followup-changes and the new pip resolver solves some other infinity lock issues so I am wondering if the resolver fixes that as well.
EDIT: Nevermind, I just checked the steps it appears to still be a problem even on my branch:
matteius@matteius-VirtualBox:~/shared-projects/pipenv-triage/pipenv-4371$ pipenv graph
asgiref==3.5.0
django-debug-toolbar==3.2.4
- Django [required: >=2.2, installed: 2.2.27]
- pytz [required: Any, installed: 2021.3]
- sqlparse [required: >=0.2.2, installed: 0.4.2]
- sqlparse [required: >=0.2.0, installed: 0.4.2]
Just noting this is specifically an issue of installing a new dependency as --dev because if I repeat the steps but install pipenv install django-debug-toolbar regularly it produces the expected graph.
@matteius My current solution is creating default constraints associated with packages, then pass those constraints to resolver and use them when installing dev-packages. But it only solves the case when installing from Pipfile, not the case where user provides packages.
# Pipfile
[packages]
django = "<3.0"
[dev-packages]
django-debug-toolbar = "*"
$ pipenv graph
django-debug-toolbar==3.2.4
- Django [required: >=2.2, installed: 2.2.28]
- pytz [required: Any, installed: 2022.1]
- sqlparse [required: >=0.2.2, installed: 0.4.2]
- sqlparse [required: >=0.2.0, installed: 0.4.2]
Should I open a PR just for this case?
New version of pipenv==2022.8.13 has been released with the fix produced by @dqkqd !