-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating only one locked dependency #966
Comments
That could also be useful for |
There's a little thing to take into account here: Changing a single dependency could change the overall set of requirements. I know that in the context of I think its a reasonable idea. Otherwise, if you want to update absolutely only one dependency, I hope this helps! |
Indeed, that was what I meant by:
|
Agree 100% - and I'll go a bit farther: this should be the default. That is, AFAICT, this is how I apologize if I'm hijacking this issue for something else, but since this is so closely related to an issue I was about to create, I thought I'd start the conversation here. Feel free to tell me I should make a new one. |
Just found this related issue as well: https://github.com/kennethreitz/pipenv/issues/418 Being able to specify I would be surprised if that change breaks anyone's workflow (famous last words), since it's more conservative than |
Tried to work around this by setting
Guessing pipenv is delegating to pip for the install, and pip respects its environment variable settings, but |
@k4nar What happens right now that you are finding undesirable? Because if you upgrade a dependency that has cascading requirements obviously it will have consequences for other dependencies. Are you suggesting some kind of resolver logic to determine the most current version of a specific package in the context of the current lockfile? I am hesitant to encourage too many hacks to resolution logic, which is already complicated and difficult to debug. @brettdh I think I can shed some light because you have most of the pieces. To be clear:
As for your lockfile and |
@techalchemy : If I have a Pipfile.lock with A, B and C where B is a dependency of A, I would like to be able to update A and B without updating C, or C without updating A and B. |
I concur with everything @k4nar wrote. Sure, I could even just pin
everything in requirements.txt and not use pipenv. The point of pipenv is
to have one tool that makes that (and the virtualenv stuff, of course)
simpler to manage; i.e. all packages are locked by default to a version
that’s known to work, but it should be straightforward to upgrade a select
few (without unexpectedly upgrading others).
…On Thu, Oct 26, 2017 at 4:28 AM Yannick PÉROUX ***@***.***> wrote:
@techalchemy <https://github.com/techalchemy> : If I have a Pipfile.lock
with A, B and C where B is a dependency of A, I would like to be able to
update A and B without updating C, or C without updating A and B.
Again of course I can pin all my dependencies & their dependencies in my
Pipfile in order to do that, but that would be a burden to maintain (like
most requirements.txt are).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/kennethreitz/pipenv/issues/966#issuecomment-339591307>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFlnqUOEKARiFD8kEk3GVczF3NXBdVOks5swEKcgaJpZM4QEf-->
.
|
Hm I see what you guys are saying. The premise of passing a setting to pip is not what I’m worried about, it’s resolving with pip-tools that concerns me. What does this behavior look like right now? |
@techalchemy I mentioned the True, this only happens when I've changed pip's default args via environment variable; I was just pointing out that it was surprising that pipenv delegated to pip for installation but not for version locking; i.e. rather than locking what's installed, it locks what it thinks should be installed, potentially with unrequested upgrades. Could you clarify your question a bit? I think "resolving with pip-tools" is referring to what |
@brettdh The locking mechanism include a notion of "dependency resolution" that does not exist in
I'm not sure how those The "original" Pointing back to my resume of how So in
Effectively, it means that existing pins are given a "priority" as candidate to try first. But in
So, I think the same behavior for the locking in |
@vphilippon do you have a sense of how difficult implementation on that would be? |
But, as I'm looking into this, and following @brettdh comments, I realize a few things:
@techalchemy If there's something unclear, ask away, a lot of editing went on when writing this. (Dependency resolution is not easy. Good and practical dependency resolution is even worst 😄 ) |
@vphilippon that's exactly what I meant. Keeping the things that pip installs in sync with the things that pip-tools resolves is non-trivial unless you drive the process backwards, using the resolved lockfile to do the installation. I'm pretty sure that was why things were designed the way they were.
This workflow can possibly work with the current configuration. You can use |
@vphilippon Totally agree that A and B are desirable workflows in different situations. Some of your phrasing around B confused me a bit, though, seeming to say that Regardless of whether you are in an A workflow or a B workflow, a few things seem constant to me, and I think this squares with what @techalchemy is saying as well:
I'm ignoring implementation details, but that's kind of the baseline behavior I expect from a package manager with a lockfile feature. Running Am I missing any use cases? I can think of optimizations for B - e.g. a flag or env var that tells it to always update eagerly - but I think that covers the basics. I also know I'm retreading ground you've already covered; it's just helpful for me to make sure I understand what you're talking about. :) |
@brettdh this is correct -- the |
As a potential resolution to this: something that pip itself currently supports, but A constraints file differs from a requirements file, in that it says "If this component is installed, then it must meet this version constraint". However, if a particular package in the constraints file doesn't show up in the dependency tree anywhere, it doesn't get added to the set of packages to be installed. This is the feature that's currently missing from
Constraints file support at the pip-tools resolver level would then be enough for |
currently not supported, thanks for the feedback |
Do you mean:
This is a sufficient inconvenience given the inconsistency with how other similar locking package managers work that it would be good to keep this open as a solicitation for PRs. If instead it's (3), and this will not be added, then I think a number of us on the issue will need to adjust our plans for our choice of Python package management tools. |
I mean that this is currently not supported, and I appreciate the feedback. |
I understand that it's not supported. Are you also saying that you would not accept PRs either changing this behavior or adding this as an option? |
I have no idea. |
@k4nar still interested in doing a PR for this? Specifically, something like |
I'm interested but I'm not sure to know how would be the best way to implement this. There are a lot of components in action (pip, pip-tools, pipfile, pipenv…) and probably a lot of possible solutions. |
The |
Yeah that's along the lines of what I was trying to suggest in #966 (comment) |
Really excited to hear this is being worked on! In the mean time, does anyone have a suggested workaround that's less laborious and error-prone than running |
@benkuhn Not that I know off - I do the same lock & revert dance all the time. |
Ah ok, you can at least sometimes avoid hand-reverting:
Unfortunately it's still possible to create an inconsistent |
|
Am I correct that it is not possible to update/install single dependency using Editing Pipfile.lock manually is no fun... |
Same than @max-arnold , it's my first day using the tool in an existing project, and I have to say I'm really disappointed, before I started to use it, I checked the doc site and the video demo, it looked impressive to me, and now this: in real project, work with Of course, ### if the update is mandatory, it's OK to update all the necessary dependencies, but just those, not all the outdated instead. Also the options But my major disappointing is why this package was recommended by the Python official documentation itself, these recommendations should be more careful conducted, I know this can be a great project in the feature, have a lot of potential, but simple things like this (we are not talking about a bug or a minor feature), make this project not eligible for production environments, but suddenly because it was recommended by the Python docs, everybody are trying to use it, instead of looking for other tools that maybe work better, or just stick with |
@mrsarm Thank you for your opinion. Sorry things don’t work for you. I don’t understand where the disappointment comes from, however. Nobody is forcing Pipenv on anyone; if it doesn’t work for you, don’t use it. That is how recommendations work. Your rant also has nothing particularly related to this issue. I understand it requires a little self-control to not dumping trash on people when things don’t go your way, but please show some respect, and refrain from doing so. |
@uranusjr it's not trash, it's an opinion, and some times it's not an option, like my case, where somebody chose pipenv to create a project where I started to work now, and I have to deal with this. But things get worst just now, and what I going to say it's not an opinion, it's a fact. After trying to add one dependency that just I dismissed to avoid to deal with this issue (because it's a dev dependency, so I created a second environment with The new dependency is PyYAML, let say the latest version. If you install it in any new environment with So the conclusion (and again an opinion, not a fact like pipenv broke all my dependencies) it's that Pipenv instead of help me to deal with the dependencies management, it turn it into hell. |
I've followed this thread for months, and I think any real project will ultimately stumble upon this issue, because the behavior is unexpected, counter-intuitive, and yes: dangerous. About a month ago I tried out a more-comprehensive alternative to
I weighed sharing these thoughts on the
p.s. I think the concern about Pipenv being the "official" solution is due to it's first-class integrations – something that you, @uranusjr, might see it as a simple recommendation – the industry at large is taking it as the "blessed approach going forward". Frankly, that recommendation is more authoritative in the community than certain PEPs that have been around for more than a year. |
Nobody is forcing you to participate in our issue tracker; if you don’t have a productive comment please find a forum that is not for triaging issues. For users who are interested in trying the alternative resolver @uranusjr and myself have been implementing for several weeks now, please try out https://github.com/sarugaku/passa which will generate compatible lockfiles. Poetry does a lot of different things, but it also has limitations and issues itself, and we have a design philosophy disagreement about scope. This is a project we manage in our spare time; if you want to see something fixed or you have a better approach, we are happy to accept contributions. If you are here to simply tell us we ruined your day and your project, I will ask you only once to see yourself out. We have not forgotten or ignored this issue, we have a full implementation of a fix in the resolver linked above. Have patience, be courteous, or find somewhere else to talk. To those who have been waiting patiently for a fix, please do try the resolver mentioned above— we are eager to see if it meets your needs. It implements proper backtracking and resolution and shouldn’t handle this upgrade strategy In the shorter term I think we can get a band aid for this into pipenv if we don’t wind up cutting over first. |
@dfee I am not really sure that blurring lines between applications and libraries is the correct answer to dependency management, so I don’t see poetry’s approach as an advantage. I wasn’t involved in whatever your issue was with the recommendation engine, but we took that out some time ago... |
Why though? I never understood this idea that you should manage the dependencies of a library and an application differently. The only difference between the two is the lock file which is needed for an application to ensure a reproducible environment. Other than that it's the same thing. This is the standard in most other languages and Python seems the exception here for some reason and this is bad from a user experience standpoint since this is making things more complex than they should be.
Which ones? I am really curious about the issues or limitations you encountered while using Poetry. |
My apologies to bean so rude. Now reading my comments I realize that despite the info I provided and some of my options are still valid (IMHO), it's wasn't appropriated the way I wrote what I wanted to say. I understand that the issue tracker is most a place where to discuss bugs and improvements, and discuss whether this is a bug or an error by design is not clear in the thread, but again my apologies. I thing there are two strong topics here:
In case it's a bug in on one of these params To compare with a similar scenario, imagine that you execute |
@sdispater the distinction is at the heart of every disagreement we've ever had and it's incredibly subtle but I'd point you at https://caremad.io/posts/2013/07/setup-vs-requirement/ or a good article for the elixir use case: http://blog.plataformatec.com.br/2016/07/understanding-deps-and-applications-in-your-mixfile/
@mrsarm For your first question, the update behavior was intentional (and was discussed extensively at the time, /cc @ncoghlan and related to OWASP security concerns). On the second point, the behavior is currently not properly implemented which is why the issue is still opened, which led us to rewriting the backing resolver behind pipenv, which I mentioned above. It simply didn't support this behavior. |
Well this is certainly off topic but it's an important discussion so I can't help myself. There is actually no standard around
Anyway, going back to pipenv vs poetry - there seems to be some idea floating around that applications don't need certain features that libraries get, like entry points, and this is just incorrect. It should be straightforward for an application to be a python package. The only true difference between an application and a library in my experience with python and with other ecosystems is whether you're using a lockfile or not. Of course there's a third case where you really just want a |
Distutils is part of the standard library and setuptools is installed with pip now, so saying that there is no standard is a bit silly. Not to mention it uses the standard outlined in pep 345 for metadata, among others, and can also be used to specify build requirements.
Do you mean the pep authors? You can ask them why they made their decision, they outline it all in the pep.
This came up on the mailing list recently -- nothing anywhere has declared a standard around
Who is saying that applications don't require entry points? Pipenv has an entire construct to handle this.
Not following here... we are not going to leave pip vendored at version 10 forever, I've literally been describing our new resolver, and the actual installer just falls back to pip directly... how does this prevent people from using editable installs? |
That's correct, it is not a "standard", yet in that same thread recognise that by calling it So by the same logic you invoked here:
|
PEP 517 punted on editable installs... which means there is no standard way to install a project in editable mode if you are not using setup tools (which has a concept known as develop mode which installs the project in editable mode). |
This comment has been minimized.
This comment has been minimized.
https://pipenv.readthedocs.io/en/latest/advanced/#custom-script-shortcuts Please read the documentation. |
Great, and we are happy to accommodate sdists and wheels built using this system and until there is a standard for editable installs we will continue to pursue using pip to build sdists and wheels and handle dependency resolution that way. Please read my responses in full. The authors and maintainers of pip, of the peps in question, and myself and @uranusjr are pretty well versed on the differences between editable installs and the implications of building them under the constraints of pep 517 and 518. So far All I'm seeing is that the peps in question didn't specifically address how to build them because they leave it up to the tooling, which for some reason everyone thinks means pipenv will never be able to use anything but setuptools? I've said already this is not correct. If you are actually interested in the implementation and having a productive conversation I'm happy to have that. If you are simply here to say that we don't know what we're doing, but not interested in first learning what it is we are doing, this is your only warning. We are volunteers with limited time and I am practicing a 0 tolerance policy for toxic engagements. I do not pretend my work is perfect and I don't pretend that pipenv is perfect. I will be happy to contribute my time and effort to these kinds of discussions; in exchange I ask that they be kept respectful, that they stick to facts, and that those who participate also be willing to learn, listen, and hear me out. If you are here just to soapbox you will have to find another platform; this is an issue tracker. I will moderate it as necessary. This discussion is wildly off topic. If anyone has something constructive to say about the issue at hand, please feel free to continue that discussion. If anyone has issues or questions about our build system implementations, please open a new issue. If you have issues with our documentation, we accept many pull requests around documentation and we are aware it needs work. Please defer all of that discussion to new issues for those topics. And please note: the same rules will still apply -- this is not a soapbox, it is an issue tracker. |
Entry points are a more general concept than just console scripts and this link is completely erroneous in addressing those concerns. |
In the project we maintain, we can soapbox. And yes, pip will support all compliant build systems which you both yourselves seem to full well understand will produce consumable metadata, and as pipenv uses pip as the backing tool to drive its installation process, as I described, yes, pipenv will support all compliant tooling. I already said this. So yeah, please take your toxicity somewhere else. Your attitude is not welcome here. Final warning. Persistent attempts to incite conflict won’t be tolerated. |
There is too much to parse here and I would just be echoing the sentiment that:
or that
In fact -- we have pretty great resolution of dependencies now that will update within the constraints you specify in your Anyway I am closing this one down for the history books and If there is anything relevant in this thread that is not addressed or needs a new issue -- feel free to open one, but keep in mind that the current behavior is correct with respect to dependency resolution and keeping the constraints of the |
Sometimes I'm doing a PR and I want to update a specific dependency but I don't want to deal with updates of all my dependencies (aiohttp, flake8, etc…). If any breaking change was introduced in those dependencies, I want to deal with it in another PR.
As far as I know, the only way to do that would be to pin all the dependencies that I don't want to update in the Pipfile. But I find it to defeat the purpose of Pipenv in the first place :) .
So my feature request would be to be able to do something like:
That would generate a Pipfile.lock with updates for only
my-awesome-dep
and its dependencies.I can probably make a PR for that, but I would like to get some feedback first.
The text was updated successfully, but these errors were encountered: