pipenv incorrectly resolves dev-dependencies

[sobolevn]

When installing dev dependencies some packages receive wrong versions.
These packages seem to ignore constraints defined in Pipfile.

Describe your environment

1. OS Type: macos, 10.11.6
2. Python version: $ python -V, 3.6.2
3. Pipenv version: $ pipenv --version, 9.0.1

Expected result

I expect that django==1.11 will be installed.

Actual result

django==2.0 is installed.

Steps to replicate

Pipfile

[[source]]

url = "https://pypi.python.org/simple"
verify_ssl = true


[requires]

python_version = '3.6'


[dev-packages]

django-debug-toolbar = "*"


[packages]

django = "<1.12"

Pipfile.lock

{
    "_meta": {
        "hash": {
            "sha256": "b802355565a0f9e930143694c9133a2693b413a900600db3683a82a2406fed7a"
        },
        "host-environment-markers": {
            "implementation_name": "cpython",
            "implementation_version": "3.6.2",
            "os_name": "posix",
            "platform_machine": "x86_64",
            "platform_python_implementation": "CPython",
            "platform_release": "15.6.0",
            "platform_system": "Darwin",
            "platform_version": "Darwin Kernel Version 15.6.0: Fri Feb 17 10:21:18 PST 2017; root:xnu-3248.60.11.4.1~1/RELEASE_X86_64",
            "python_full_version": "3.6.2",
            "python_version": "3.6",
            "sys_platform": "darwin"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "url": "https://pypi.python.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "django": {
            "hashes": [
                "sha256:fad46f44f6f4de66aacaa92e7753dbc4fe3ae834aa2daffaca0bf16c64798186",
                "sha256:fed3e79bb5a3a8d5eb054c7a1ec1de229ef3f43335a67821cc3e489e9582f711"
            ],
            "version": "==1.11.8"
        },
        "pytz": {
            "hashes": [
                "sha256:80af0f3008046b9975242012a985f04c5df1f01eed4ec1633d56cc47a75a6a48",
                "sha256:feb2365914948b8620347784b6b6da356f31c9d03560259070b2f30cff3d469d",
                "sha256:59707844a9825589878236ff2f4e0dc9958511b7ffaae94dc615da07d4a68d33",
                "sha256:d0ef5ef55ed3d37854320d4926b04a4cb42a2e88f71da9ddfdacfde8e364f027",
                "sha256:c41c62827ce9cafacd6f2f7018e4f83a6f1986e87bfd000b8cfbd4ab5da95f1a",
                "sha256:8cc90340159b5d7ced6f2ba77694d946fc975b09f1a51d93f3ce3bb399396f94",
                "sha256:dd2e4ca6ce3785c8dd342d1853dd9052b19290d5bf66060846e5dc6b8d6667f7",
                "sha256:699d18a2a56f19ee5698ab1123bbcc1d269d061996aeb1eda6d89248d3542b82",
                "sha256:fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7"
            ],
            "version": "==2017.3"
        }
    },
    "develop": {
        "django": {
            "hashes": [
                "sha256:af18618ce3291be5092893d8522fe3919661bf3a1fb60e3858ae74865a4f07c2",
                "sha256:9614851d4a7ff8cbd32b73c6076441f377c45a5bbff7e771798fb02c43c31f47"
            ],
            "version": "==2.0"
        },
        "django-debug-toolbar": {
            "hashes": [
                "sha256:4af2a4e1e932dadbda197b18585962d4fc20172b4e5a479490bc659fe998864d",
                "sha256:d9ea75659f76d8f1e3eb8f390b47fc5bad0908d949c34a8a3c4c87978eb40a0f"
            ],
            "version": "==1.9.1"
        },
        "pytz": {
            "hashes": [
                "sha256:80af0f3008046b9975242012a985f04c5df1f01eed4ec1633d56cc47a75a6a48",
                "sha256:feb2365914948b8620347784b6b6da356f31c9d03560259070b2f30cff3d469d",
                "sha256:59707844a9825589878236ff2f4e0dc9958511b7ffaae94dc615da07d4a68d33",
                "sha256:d0ef5ef55ed3d37854320d4926b04a4cb42a2e88f71da9ddfdacfde8e364f027",
                "sha256:c41c62827ce9cafacd6f2f7018e4f83a6f1986e87bfd000b8cfbd4ab5da95f1a",
                "sha256:8cc90340159b5d7ced6f2ba77694d946fc975b09f1a51d93f3ce3bb399396f94",
                "sha256:dd2e4ca6ce3785c8dd342d1853dd9052b19290d5bf66060846e5dc6b8d6667f7",
                "sha256:699d18a2a56f19ee5698ab1123bbcc1d269d061996aeb1eda6d89248d3542b82",
                "sha256:fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7"
            ],
            "version": "==2017.3"
        },
        "sqlparse": {
            "hashes": [
                "sha256:d9cf190f51cbb26da0412247dfe4fb5f4098edb73db84e02f9fc21fdca31fed4",
                "sha256:ce028444cfab83be538752a2ffdb56bc417b7784ff35bb9a3062413717807dec"
            ],
            "version": "==0.2.4"
        }
    }
}

Now, run pipenv install --dev.
And pip freeze just to be sure:

» pipenv run pip freeze
Django==2.0
django-debug-toolbar==1.9.1
pytz==2017.3
sqlparse==0.2.4

As you can see django==2.0 violates my constraint django<1.12.

[kennethreitz]

this is a known bug — 

[techalchemy]

I would lean toward #1177 (comment) as a solution

[epicserve]

@kennethreitz,

Is there a workaround until a release is made to fix this issue?

[uranusjr]

Current workaround is to repeat production dependencies in dev-packages. I think discussion is happening in #1255.

[ovidner]

I've thrown together a script to help detect conflicting versions between the different sections of Pipfile.lock: https://gist.github.com/ovidner/d01661ded87df226334b14fa8f9e69d1

It's not that pretty, but it works. :)

[joshfriend]

Another side effect of this that I noticed in #1342 is that pipenv install --dev will install a different version of the dependency (Django in this issue, Flask in mine) depending on how many times the command is run. Also, running pipenv graph with a Pipfile as described in these two issues will not show Django/Flask as top-level dependencies, even though they are listed specifically, and are only shown if they are a sub-dependency of another package.

In my mind, the dev packages section is meant to be complimentary/additive to the dependencies in the main section, not alternative set of dependencies. Therefore, I think that @techalchemy's suggestion of a flat Pipfile.lock makes the most sense.

[kennethreitz]

fixed

[Alphare]

Pro-tip: You may still encounter this bug after upgrading if your lockfile was generated before the fix. Removing then creating a new lockfile with an updated Pipenv fixes the issue for me.

[mikemahony]

Where was this fixed? I'm experiencing the issue with:

python -V, 2.7.13
pipenv --version, 2018.11.26

[jkleint]

I also still have this problem with pipenv 2018.11.26 and Python 3.7.2 on Linux.