pipenv: why to run pipenv lock when lock file is automatically created wheneven i install a package

Question

Pipenv:

I found at https://realpython.com/pipenv-guide/ that to tranfer the project to development i have to run

pipenv lock 

(to update/create the Pipfile.lock file)

As per my understanding whenever we install any package using

pipenv install django

Pipfile.lock is automatically generated/updated.

So whats the need to do

pipenv lock

isnt the Pipfile.lock always the updated.

of course in case i want to create .lock file at any time (by chance if its delete) i may do pipenv lock

Also if by chance the pipfile is deleted can i recreate it again.

Answer 1

You're right that the Pipfile.lock has already been created when installing the virtual environment or some packages. As far as I understand, the goal would be to update all your dependencies before entering production.

But I think against the documentation you should not update the Pipfile.lock at this stage, unless you're very confident in your CI pipeline and your test framework, because it could potentially deploy in production some untested dependency version Remember that pipenv lock will not install on your development machine the update dependencies, and if you rerun your tests without pipenv sync you will not test the updated dependencies. I prefer locking once and for all the dependencies at a early stage, then keep it until deployment, then after the deployment update the dependencies and begin the next version.

That's also why I am very careful with pip install <package>, because it will also automatically update all your dependencies, while I would prefer that pipenv tries to keep all the other dependency versions unchanged, unless specifically specified or clash between dependency versions.