Menu
I just did:
pipenv install django[argon2]
And this changed my Pipfile:
-django = "==2.1.5"
+django = {extras = ["argon2"],version = "*"}
I want to pin the requirements. First I will pin django to 2.1.5:
django = {extras = ["argon2"],version = "==2.1.5"}
What about argon2? Is that a separate package? There is no such package when I do pip freeze:
$ pip freeze | grep -i argon2
argon2-cffi==19.1.0
What is that? How do I fully pin django[argon2]?
289
$ pipenv lock is used to create a Pipfile. lock , which declares all dependencies (and sub-dependencies) of your project, their latest available versions, and the current hashes for the downloaded files. This ensures repeatable, and most importantly deterministic, builds.
You might also want to add --ignore-pipfile to pipenv install , as to not accidentally modify the lock-file on each test run. This causes Pipenv to ignore changes to the Pipfile and (more importantly) prevents it from adding the current environment to Pipfile.
☤ Example Pipfile & Pipfile. lock Pipfiles contain information for the dependencies of the project, and supersedes the requirements. txt file used in most Python projects. You should add a Pipfile in the Git repository.
In my Pipfile, I found this possible by double-quoting the package and the version
[packages]
"django[argon2]" = "==2.1.5"
From the Requirement Specifier docs for pip, you can combine these forms:
SomeProject == 1.3 SomeProject >=1.2,<2.0 SomeProject[foo, bar]
This means you can do this command:
pipenv install "django[argon2]==2.1.5"
Which generates this Pipfile entry:
django = {version = "==2.1.5", extras = ["argon2"]}
That command installs Django and:
==VERSION)There is no argon2 package. The [argon2] means it is an optional dependency or an optional feature of Django. What gets installed is the argon2-cffi and cffi packages, which are the optional dependencies Django needs to use Argon2. You can see this in the Pipfile.lock:
"argon2-cffi": {
"hashes": [
...
],
"version": "==20.1.0"
},
"cffi": {
"hashes": [
...
],
"version": "==1.14.6"
},
"django": {
"extras": [
"argon2"
],
"hashes": [
...
],
"index": "pypi",
"version": "==2.1.5"
},
This is also mentioned in the Django docs:
To use Argon2 as your default storage algorithm, do the following:
- This can be done by running
python -m pip install django[argon2], which is equivalent topython -m pip install argon2-cffi(along with any version requirement from Django’ssetup.cfg)
The difference of doing pipenv install django[argon2] compared to installing django and argon2-cffi separately (as with this other answer) is that, during installation, you let Django's setuptools decide which version of argon2-cffi to use. This is better because the Django maintainers probably wrote and tested the code for Argon2 support using a compatible version of argon2-cffi.
This can be seen in Django's setup.cfg file (for Django 3.2.6 at the time of this writing):
[options.extras_require]
argon2 = argon2-cffi >= 19.1.0
which indicates that when using optional [argon2] feature it needs to install that range of version of argon2-cffi. As James O' Brien commented: "A specific version of django would require specific versions of the extras."
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
