Pipenv installs spurious dependencies #4371

J-M0 · 2020-06-29T23:21:21Z

Issue description

When installing any version of Django < 3.0 as a dependency and django-debug-toolbar as a dev dependency, pipenv lock determines that asgiref is a required package when it in fact is not.

Expected result

$ pipenv graph
django-debug-toolbar==2.2
  - Django [required: >=1.11, installed: 2.2.13]
    - pytz [required: Any, installed: 2020.1]
    - sqlparse [required: Any, installed: 0.3.1]
  - sqlparse [required: >=0.2.0, installed: 0.3.1]

Actual result

$ pipenv graph
asgiref==3.2.10
django-debug-toolbar==2.2
  - Django [required: >=1.11, installed: 2.2.13]
    - pytz [required: Any, installed: 2020.1]
    - sqlparse [required: Any, installed: 0.3.1]
  - sqlparse [required: >=0.2.0, installed: 0.3.1]

Steps to replicate

In a new project, run the following commands:

$ pipenv install 'Django<3.0'
$ pipenv install --dev django-debug-toolbar

$ pipenv --support

Pipenv version: '2020.6.2'

Pipenv location: '/usr/local/Cellar/pipenv/2020.6.2/libexec/lib/python3.8/site-packages/pipenv'

Python location: '/usr/local/Cellar/pipenv/2020.6.2/libexec/bin/python3.8'

Python installations found:

3.8.0: /Users/jmorris/.pyenv/versions/3.8.0/bin/python3
3.7.7: /usr/local/bin/python3
3.7.7: /usr/local/bin/python3.7m
3.7.7: /usr/local/bin/python3.7
3.6.8: /Users/jmorris/.pyenv/versions/3.6.8/bin/python3
3.5.9: /Users/jmorris/.pyenv/versions/3.5.9/bin/python3
3.5.1: /Users/jmorris/.pyenv/versions/3.5.1/bin/python3
2.7.18: /Users/jmorris/.pyenv/versions/2.7.18/bin/python2
2.7.17: /usr/local/bin/python2
2.7.17: /usr/local/bin/python2.7
2.7.16: /usr/bin/python2.7

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.8.3',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '18.7.0',
 'platform_system': 'Darwin',
 'platform_version': 'Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT '
                     '2020; root:xnu-4903.278.35~1/RELEASE_X86_64',
 'python_full_version': '3.8.3',
 'python_version': '3.8',
 'sys_platform': 'darwin'}

System environment variables:

PATH
TERM_PROGRAM
TERM
SHELL
TMPDIR
Apple_PubSub_Socket_Render
TERM_PROGRAM_VERSION
TERM_SESSION_ID
USER
SSH_AUTH_SOCK
__CF_USER_TEXT_ENCODING
PWD
EDITOR
LANG
ITERM_PROFILE
XPC_FLAGS
XPC_SERVICE_NAME
SHLVL
PYENV_SHELL
HOME
COLORFGBG
LC_TERMINAL_VERSION
ITERM_SESSION_ID
LOGNAME
LESS
LESSOPEN
LC_TERMINAL
COLORTERM
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

PATH: /usr/local/Cellar/pipenv/2020.6.2/libexec/tools:/Users/jmorris/.pyenv/shims:/Users/jmorris/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/MacGPG2/bin:/Applications/Wireshark.app/Contents/MacOS
SHELL: /usr/local/bin/fish
EDITOR: vim
LANG: en_US.UTF-8
PWD: /tmp/lol

Contents of Pipfile ('/private/tmp/lol/Pipfile'):

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]
django-debug-toolbar = "*"

[packages]
django = "<3.0"

[requires]
python_version = "3.8"

Contents of Pipfile.lock ('/private/tmp/lol/Pipfile.lock'):

{
    "_meta": {
        "hash": {
            "sha256": "5e37dff5e53a743305538fdd5fb9da0dbe7eea0521b520e50a56ee191050c830"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.8"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "django": {
            "hashes": [
                "sha256:84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80",
                "sha256:e8fe3c2b2212dce6126becab7a693157f1a441a07b62ec994c046c76af5bb66d"
            ],
            "index": "pypi",
            "version": "==2.2.13"
        },
        "pytz": {
            "hashes": [
                "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
                "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
            ],
            "version": "==2020.1"
        },
        "sqlparse": {
            "hashes": [
                "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
                "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
            ],
            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
            "version": "==0.3.1"
        }
    },
    "develop": {
        "asgiref": {
            "hashes": [
                "sha256:7e51911ee147dd685c3c8b805c0ad0cb58d360987b56953878f8c06d2d1c6f1a",
                "sha256:9fc6fb5d39b8af147ba40765234fa822b39818b12cc80b35ad9b0cef3a476aed"
            ],
            "markers": "python_version >= '3.5'",
            "version": "==3.2.10"
        },
        "django": {
            "hashes": [
                "sha256:84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80",
                "sha256:e8fe3c2b2212dce6126becab7a693157f1a441a07b62ec994c046c76af5bb66d"
            ],
            "index": "pypi",
            "version": "==2.2.13"
        },
        "django-debug-toolbar": {
            "hashes": [
                "sha256:eabbefe89881bbe4ca7c980ff102e3c35c8e8ad6eb725041f538988f2f39a943",
                "sha256:ff94725e7aae74b133d0599b9bf89bd4eb8f5d2c964106e61d11750228c8774c"
            ],
            "index": "pypi",
            "version": "==2.2"
        },
        "pytz": {
            "hashes": [
                "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
                "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
            ],
            "version": "==2020.1"
        },
        "sqlparse": {
            "hashes": [
                "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
                "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
            ],
            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
            "version": "==0.3.1"
        }
    }
}

The text was updated successfully, but these errors were encountered:

stianjensen · 2020-10-20T11:00:38Z

Not sure why it ends up at the top-level, but django does require asgiref in setup.cfg:
https://github.com/django/django/blob/197b55c53469cf8344d1ba35175236780cb83bd1/setup.cfg#L43-L46

J-M0 · 2020-10-20T13:28:36Z

Yes, Django started requiring asgiref in Django 3. If you look at the requirements for Django 2.2.x, asgiref is absent:

https://github.com/django/django/blob/stable/2.2.x/setup.py#L86

GPHemsley-RELX · 2022-03-03T22:29:34Z

The linked #4455 provides more context: The packages that are being installed are future dependencies; that is, dependencies of later versions of packages that --keep-outdated is, well, keeping outdated. They shouldn't even enter into the dependency tree if their parent package is being held back.

This is still a problem in pipenv 2022.1.8.

matteius · 2022-03-04T09:33:54Z

@GPHemsley-RELX Can you check if it is still a problem in my branch that upgrades to latest pip? Branch is vendor-pip-22.0.3-followup-changes and the new pip resolver solves some other infinity lock issues so I am wondering if the resolver fixes that as well.

EDIT: Nevermind, I just checked the steps it appears to still be a problem even on my branch:

matteius@matteius-VirtualBox:~/shared-projects/pipenv-triage/pipenv-4371$ pipenv graph
asgiref==3.5.0
django-debug-toolbar==3.2.4
  - Django [required: >=2.2, installed: 2.2.27]
    - pytz [required: Any, installed: 2021.3]
    - sqlparse [required: >=0.2.2, installed: 0.4.2]
  - sqlparse [required: >=0.2.0, installed: 0.4.2]

Just noting this is specifically an issue of installing a new dependency as --dev because if I repeat the steps but install pipenv install django-debug-toolbar regularly it produces the expected graph.

dqkqd · 2022-08-08T03:43:28Z

@matteius My current solution is creating default constraints associated with packages, then pass those constraints to resolver and use them when installing dev-packages. But it only solves the case when installing from Pipfile, not the case where user provides packages.

# Pipfile
[packages]
django = "<3.0"

[dev-packages]
django-debug-toolbar = "*"

$ pipenv graph
django-debug-toolbar==3.2.4
  - Django [required: >=2.2, installed: 2.2.28]
    - pytz [required: Any, installed: 2022.1]
    - sqlparse [required: >=0.2.2, installed: 0.4.2]
  - sqlparse [required: >=0.2.0, installed: 0.4.2]

Should I open a PR just for this case?

* Add test, ensure dev lock use default packages as constraints. * Use default packages as constraints when locking develop packages. * Add test, ensure installing dev-packages use default packages as constraints. (#4371) (#2987) * Use default packages as constraints when installing provided dev packages. * change vistir.path.normalize_path to pipenv.utils.shell.normalize_path * Add function that get contraints from packages. * Add test for get_constraints_from_deps function * Use get_constraints_from_deps to get constraints * Use @cached_property instead of @Property * Use standalone utility to write constraints file * prepare_constraint_file use precomputed constraints. * Add news fragment.

matteius · 2022-08-13T12:56:20Z

New version of pipenv==2022.8.13 has been released with the fix produced by @dqkqd !

* Add test, ensure dev lock use default packages as constraints. * Use default packages as constraints when locking develop packages. * Add test, ensure installing dev-packages use default packages as constraints. (pypa#4371) (pypa#2987) * Use default packages as constraints when installing provided dev packages. * change vistir.path.normalize_path to pipenv.utils.shell.normalize_path * Add function that get contraints from packages. * Add test for get_constraints_from_deps function * Use get_constraints_from_deps to get constraints * Use @cached_property instead of @Property * Use standalone utility to write constraints file * prepare_constraint_file use precomputed constraints. * Add news fragment.

triage-new-issues bot added the triage label Jun 29, 2020

frostming added Category: Dependency Resolution Issue relates to dependency resolution. Type: Possible Bug This issue describes a possible bug in pipenv. and removed triage labels Nov 4, 2020

frostming mentioned this issue Nov 9, 2020

pipenv lock --keep-outdated adds future dependencies #4455

Closed

matteius added Type: Bug 🐛 This issue is a bug. Category: Development Issue affects development workflow. and removed Type: Possible Bug This issue describes a possible bug in pipenv. labels Mar 4, 2022

dqkqd mentioned this issue Aug 8, 2022

Issue 4371 incorrect dependencies when install dev packages #5234

Merged

2 tasks

matteius closed this as completed in #5234 Aug 13, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pipenv installs spurious dependencies #4371

Pipenv installs spurious dependencies #4371

J-M0 commented Jun 29, 2020

stianjensen commented Oct 20, 2020

J-M0 commented Oct 20, 2020

GPHemsley-RELX commented Mar 3, 2022

matteius commented Mar 4, 2022 •

edited

Loading

dqkqd commented Aug 8, 2022

matteius commented Aug 13, 2022

Pipenv installs spurious dependencies #4371

Pipenv installs spurious dependencies #4371

Comments

J-M0 commented Jun 29, 2020

Issue description

Expected result

Actual result

Steps to replicate

stianjensen commented Oct 20, 2020

J-M0 commented Oct 20, 2020

GPHemsley-RELX commented Mar 3, 2022

matteius commented Mar 4, 2022 • edited Loading

dqkqd commented Aug 8, 2022

matteius commented Aug 13, 2022

matteius commented Mar 4, 2022 •

edited

Loading