Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updates requests to 2.20 #100

Closed
wants to merge 1 commit into from
Closed

updates requests to 2.20 #100

wants to merge 1 commit into from

Conversation

lsh-0
Copy link
Contributor

@lsh-0 lsh-0 commented Nov 2, 2018

No description provided.

@lsh-0
Copy link
Contributor Author

lsh-0 commented Nov 2, 2018

gah! I'm really not getting pipenv. Could somebody else please update profiles to use requests >= 2.20 before I replace it with a bogstandard requirements.txt file?

@lsh-0
Copy link
Contributor Author

lsh-0 commented Nov 2, 2018

It looks like @giorgiosironi is the defacto owner with the most number of recent commits. If there is no actual owner anymore and no objections I'm more than happy to replace pipenv.

@de-code
Copy link

de-code commented Nov 2, 2018

Should probably add --ignore-pipfile to the pipenv command in Dockerfile.venv to only use the dependencies as per the lock file.

@giorgiosironi
Copy link
Contributor

I'll retry this update to see what is going on with the other projects in the lock file.

Should probably add --ignore-pipfile

Will investigate this too, was it related?

@de-code
Copy link

de-code commented Nov 2, 2018

Should probably add --ignore-pipfile

Will investigate this too, was it related?

I would say so, this build fails with Your Pipfile.lock (c9fe50) is out of date. Expected: (de4a1b).

With that option it won't check outdated dependencies but just adhere to the lock file.

We also added that option to the Python content-store: https://github.com/libero/content-store-python/blob/master/Dockerfile.venv

@giorgiosironi
Copy link
Contributor

Uhuh: pypa/pipenv#2665

@giorgiosironi
Copy link
Contributor

Which actually leads to pypa/pipenv#2412

@giorgiosironi
Copy link
Contributor

You're right that there is a pre-existing problem with the Docker build itself because if I executed pipenv graph I see a newer version of newrelic wrt the current lock (2.92.0.78):

(venv) root@30a877876ea9:/srv/profiles# pipenv graph | grep newrelic
newrelic==2.106.1.88

@giorgiosironi
Copy link
Contributor

In a smaller example pipenv sync for installation and pipenv update --keep-outdated requests for updates of a single package seem to work. no they don't they update the requests dependencies but not the package itself.

@giorgiosironi
Copy link
Contributor

As far as I can understand the last word on this is pypa/pipenv#966 which is open and locked due to heated discussion. I don't have much trust in pipenv but rather than jumping on other solutions like poetry I'll hold off and:

  • fix the locking here (which seems to work)
  • allow this to go ahead by updating the world rather than updating only requests

@giorgiosironi
Copy link
Contributor

I included the update, which is identical to this, in the other PR to simplify testing; let's go there.

@giorgiosironi giorgiosironi deleted the feat-requests-vuln-2 branch November 2, 2018 15:48
@lsh-0
Copy link
Contributor Author

lsh-0 commented Nov 4, 2018

I had to go looking for it: https://github.com/sdispater/poetry

thanks guys, your work is appreciated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants