uv icon indicating copy to clipboard operation
uv copied to clipboard

Published 20 hours ago verified publisher icon astral-sh

Question: Will it also replace `pipenv`?

Open TheRealBecks opened this issue 1 year ago • 5 comments

Have you already heard about pipenv? I saw that you talking about replacing several package managers and virtualization managers, but I didn't see you mentioning pipenv.

Key benefits of using pipenv:

  • replaces pip and venv
  • No shitty requirements.txt, but a structured Pipfile
  • The production or development installation from Pipfile will result in a Pipfile.lock that uses hashes to strengthen the security, but also allows to install binary-equal versions on several platform, so you development install can be equally to the production setup on a server
  • Integrated into VS Code, so the virtual environment can be used directly

Especially using a .lock with hashes file instead of the requirements.txt is a killer feature. I would love to see something equal at uv.

TheRealBecks avatar Feb 16 '24 09:02 TheRealBecks

Upvote this question, as pip has security concerns when we need to work with several registries private and public ones, and it's great to have lock files so that on CI we don't need to make any additional resolution at all.

moaddib666 avatar Feb 16 '24 10:02 moaddib666

uv pip compile supports pip-compile's --generate-hashes flag if you want a lock file with hashes. I believe uv aims on introducing a higher level UI in the future, but the low level commands are there.

hauntsaninja avatar Feb 16 '24 20:02 hauntsaninja

It would be nice to be able to just type :

uv pip compile Pipfile --generate-hashes -o requirements.txt # Read a Pipenv file.

In the meantime, a workaround is :

pipenv requirements > requirements.in
uv pip compile requirements.in --generate-hashes -o requirements.txt

thomasleveil avatar Feb 20 '24 10:02 thomasleveil

It is my understanding that the community has been trying to standardise a lockfile for years:

  • Take 1 https://peps.python.org/pep-0650/ withdrawn
  • Take 2 https://peps.python.org/pep-0665/ rejected

And to the best of my knowledge, efforts continue to provide such a standard.

It was comforting to see the uv devs being so open and receptive to community feedback already and I hope they take a sensible approach and carefully avoid blessing locking formats that are far from being "standard".

astrojuanlu avatar Feb 22 '24 11:02 astrojuanlu

@thomasleveil, you can also pass stdin:

pipenv requirements | uv pip compile --generate-hashes -o requirements.txt -

@astrojuanlu, there's a Take 3 (discussion phase, before PEP), continuing from the mousebender project 🙂

helderco avatar Mar 14 '24 17:03 helderco

take a sensible approach and carefully avoid blessing locking formats that are far from being "standard".

Just because something is an "official" standard doesn't necessarily mean it's good or well designed -- I think Python of all ecosystems is an example of that. If Python can't settle on a lockfile standard for several more years, I don't see why uv should be held back and not implement either its own format or one of the proposals.

vlad-ivanov-name avatar Apr 18 '24 09:04 vlad-ivanov-name

We're building a lock file; see https://github.com/astral-sh/uv/issues/3347

zanieb avatar Jun 19 '24 00:06 zanieb