Menu
I'm looking into using pipenv and in the docs here
https://pipenv.pypa.io/en/latest/basics/#importing-from-requirements-txt
it says (emphasis mine)
Note, that when importing a requirements file, they often have version numbers pinned, which you likely won’t want
Why is this?
I understand that the Pipfile.lock file will store the specific versions and hashes of the dependencies I install but don't I want to be able to see the specific versions of what is installed in Pipfile? (The same way I do when I use a requirements.txt?)
423
The Pipfile. lock is intended to specify, based on the packages present in Pipfile, which specific version of those should be used, avoiding the risks of automatically upgrading packages that depend upon each other and breaking your project dependency tree.
$ pipenv lock is used to create a Pipfile. lock , which declares all dependencies (and sub-dependencies) of your project, their latest available versions, and the current hashes for the downloaded files. This ensures repeatable, and most importantly deterministic, builds.
You might also want to add --ignore-pipfile to pipenv install , as to not accidentally modify the lock-file on each test run. This causes Pipenv to ignore changes to the Pipfile and (more importantly) prevents it from adding the current environment to Pipfile.
When two developers are working on a projet with different operating systems, the Pipfile. lock is different (especially the part inside host-environment-markers ). For Composer, most people recommend to commit composer. lock .
The docs are quite opinionated on the likely reason you have pinned versions on your requirements file: it probably came from pip freeze > requirements.txt.
Of course you'll want to specify some or all version ranges in your Pipfile, it's just that many people have them pinned in the requirements.txt because they used to treat it like a kind of Pipfile.lock, specifying versions of packages that aren't even direct dependencies. Naturally, if you didn't follow this practice, you don't have to worry about that warning.
This is very likely the result of Kenneth Reitz (Pipenv creator) himself doing that previously, as mentioned in his blog post A Better Pip Workflow. Clarification on this matter was already asked and answered by him in the official repository.
UPDATE JUNE, 2018
That message used to be printed as a warning by the pipenv command as well, but it has been replaced with
requirements.txt found, instead of Pipfile! Converting… Warning: Your Pipfile now contains pinned versions, if your requirements.txt did. We recommend updating your Pipfile to specify the "*" version, instead. A little bit more friendly, but I think it's still implicitly saying that pinning versions on Pipfile is not ideal, which is not true. It's perfectly fine.
151
I'm not sure what the case was previously, however, the latest documentation says that you can specify the version number for a package when you install it, like this:
pipenv install requests==2.13.0
This will also update the package in your Pipfile to include the version number, which looks like this:
requests = "==2.13.0"
You can do this for each of the packages you want to specify version numbers for—including if you've previously installed them.
I think you may be able to manually edit your Pipfile to do this, although I'm not sure if that'd be correct.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
