Wrong version resolved

[dalai4git]

Observed:

Pipenv lock file contains incompatible versions (possibly related to #1220?). Specifically I have fixed the version of six==1.10 under packages and left the version of behave free under dev-packages. Behave 1.2.6 is locked even though that version depends on six==1.11. The pipenv install -d also completes without errors installing the two incompatible versions.

Using pipenv version: 11.8.3

Expected:

Pipenv picks an older version of behave or at least issues an error if there is nothing it can do.

Pipfile:

[[source]]
url = "https://pypi.python.org/simple"
name = "pypi"
verify_ssl = true

[packages]
six = "==1.10.0"

[dev-packages]
behave = "*"

pipenv graph

behave==1.2.6
  - parse [required: >=1.8.2, installed: 1.8.2]
  - parse-type [required: >=0.4.2, installed: 0.4.2]
    - parse [required: >=1.8, installed: 1.8.2]
    - six [required: >=1.11, installed: 1.10.0]
  - six [required: >=1.11, installed: 1.10.0]

Pipfile.lock:

{
    "_meta": {
        "hash": {
            "sha256": "11a70e32a7eb08dbb8cba49632a6f031bd484d516d4f3035554e71e5c6185f86"
        },
        "pipfile-spec": 6,
        "requires": {},
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.python.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "six": {
            "hashes": [
                "sha256:0ff78c403d9bccf5a425a6d31a12aa6b47f1c21ca4dc2573a7e2f32a97335eb1",
                "sha256:105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a"
            ],
            "index": "pypi",
            "version": "==1.10.0"
        }
    },
    "develop": {
        "behave": {
            "hashes": [
                "sha256:b9662327aa53294c1351b0a9c369093ccec1d21026f050c3bd9b3e5cccf81a86",
                "sha256:ebda1a6c9e5bfe95c5f9f0a2794e01c7098b3dde86c10a95d8621c5907ff6f1c"
            ],
            "index": "pypi",
            "version": "==1.2.6"
        },
        "parse": {
            "hashes": [
                "sha256:8048dde3f5ca07ad7ac7350460952d83b63eaacecdac1b37f45fd74870d849d2"
            ],
            "version": "==1.8.2"
        },
        "parse-type": {
            "hashes": [
                "sha256:6e906a66f340252e4c324914a60d417d33a4bea01292ea9bbf68b4fc123be8c9",
                "sha256:f596bdc75d3dd93036fbfe3d04127da9f6df0c26c36e01e76da85adef4336b3c"
            ],
            "version": "==0.4.2"
        },
        "six": {
            "hashes": [
                "sha256:0ff78c403d9bccf5a425a6d31a12aa6b47f1c21ca4dc2573a7e2f32a97335eb1",
                "sha256:105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a"
            ],
            "index": "pypi",
            "version": "==1.10.0"
        }
    }
}

[techalchemy]

Hey @dalai4git thanks for the report! We have been discussing recently, this is kind of hard to implement but it would be nice, it just requires flattening the dependency graph before doing the final resolution steps to see if any conflicts can be resolved

[gusgordon]

Ran into this today - leaving another example here from pipenv 11.9.0:

Pipfile:

[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"

[dev-packages]

[packages]
pandas = "==0.19.0"
pandas-datareader = "*"

[requires]
python_version = "2.7"

pipenv tries to install the latest version of pandas-datareader, even though that requires pandas>0.19.2. These issues can be fixed by pegging the floating versions that are causing the issue. In this case, pegging pandas-datareader to 0.2.1 allows dependencies to be resolved.

[techalchemy]

@gusgordon we actually have your issue fixed in master in that it at least throws a resolution error, the original issue here is related to cross-graph dependency flattening (six==1.10, but we aren't properly flattening the dependencies first)

[caspervdw]

@techalchemy Trying to implement pipenv at my work, I ran into this issue as well. We want to have packages in editable mode for developers, but not editable in a production environment.

This cross-graph depency flattening would of course be the best solution, but in the meantime, is it possible to put a flag somewhere so that pipenv does not install dependencies of dev-packages? I think that might be a nice workaround for the time being.

[techalchemy]

@caspervdw if you just run pipenv install things in dev-packages should be ignored

[caspervdw]

@techalchemy

That's right, but for dev environments (where I actually want the dev packages), all the dependencies of my editable package get resolved and cross dependency conflicts arise before [packages] are installed.

[techalchemy]

@caspervdw if you just have explicit specifications in both sections the one in packages will always win the resolution conflict

[caspervdw]

@techalchemy Thanks for the input, I do still have an issue with a private project that is using a huge dependency tree of very old packages. When I put an editable version of some package in the dev-packages, subdependency conflicts arise.

I am working on a minimal working example that is using only open source projects. Will raise an issue when I worked it out.

[techalchemy]

@caspervdw just put the version you actually want as a pin (e.g pkg = “==x.y”) in your packages section for any conflict