pipenv icon indicating copy to clipboard operation
pipenv copied to clipboard

Published 20 hours ago verified publisher icon pypa

pipenv ignores version constraint without ==

Open rittneje opened this issue 3 years ago • 1 comments

This is with the latest release (2022.1.8).

Issue description

If you try to pin to a version, but neglect to include ==, then pipenv ignores the constraint entirely. It is a common misunderstanding to assume they would be equivalent. (And in fact I think pipenv is wrong for not treating them so.)

For example, requests = "2.23.0" will install latest instead.

Expected result

Either requests = "2.23.0" should be treated as requests = "==2.23.0", or pipenv install should fail saying that the Pipfile is invalid.

Actual result

It silently installed requests 2.27.1 (current latest) instead.

Steps to replicate

Add requests = "2.23.0" to the packages section and run pipenv install.

rittneje avatar Feb 24 '22 16:02 rittneje

I see what you mean, yeah that should be seen as invalid I think.

matteius avatar Feb 24 '22 16:02 matteius

Hi @matteius, Taking this up. I believe the fix will in sarugaku/requirementslib repository.. right?

dojutsu-user avatar Oct 23 '22 08:10 dojutsu-user

@dojutsu-user that sounds accurate.

matteius avatar Oct 23 '22 08:10 matteius

Hi @matteius, Can you provide some guidance on where to look. I am not able to find the exact code in the repo for this.

dojutsu-user avatar Oct 23 '22 10:10 dojutsu-user

Hi @matteius, Can you guide me here a little bit.

dojutsu-user avatar Oct 24 '22 19:10 dojutsu-user

@dojutsu-user I honestly haven't thought it through yet -- Perhaps look for where requirementslib is using Constraint but I may not have time to look at this more closely until probably next weekend.

matteius avatar Oct 24 '22 21:10 matteius

Can this issue be rechecked with pipenv==2023.8.26?

matteius avatar Aug 26 '23 23:08 matteius