`pipenv install` not respecting lock file since 2024.3.1 release. #6306

chrisgavin · 2024-11-01T12:57:52Z

Issue description

When running pipenv install using pipenv 2024.3.0, my lockfile appears to be respected and the correct dependency versions from it are installed. When doing the same with 2024.3.1, far newer versions of the dependencies are installed.

Expected result

The versions specified in the lock file should be used.

Actual result

The latest version of dependencies are installed instead.

Steps to replicate

To reproduce I've made this Dockerfile.

FROM python:3.9
WORKDIR /tmp/
RUN pip install pipenv==2024.3.1
RUN cat <<EOF > Pipfile
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
sh = "*"
EOF
RUN cat <<EOF > Pipfile.lock
{
    "_meta": {
        "hash": {
            "sha256": "f9adf532d46f4787b6afe331abe415d5698ef7523cd6225605328b61f361d427"
        },
        "pipfile-spec": 6,
        "requires": {},
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "sh": {
            "hashes": [
                "sha256:39aa9af22f6558a0c5d132881cf43e34828ca03e4ae11114852ca6a55c7c1d8e",
                "sha256:75e86a836f47de095d4531718fe8489e6f7446c75ddfa5596f632727b919ffae"
            ],
            "index": "pypi",
            "version": "==1.14.1"
        }
    },
    "develop": {}
}
EOF
RUN pipenv install
RUN (pipenv graph | grep 1.14.1) || (pipenv graph && false)

When building this Dockerfile the build fails on the last stage as pipenv has not installed sh 1.14.1 and instead used sh 2.1.0.

The problem does not reproduce if the pipenv version is changed to 2024.3.0, or the --deploy flag is added to the install command.

$ pipenv --support

Pipenv version: '2024.3.1'

Pipenv location: '/usr/local/lib/python3.9/site-packages/pipenv'

Python location: '/usr/local/bin/python3.9'

OS Name: 'posix'

User pip version: '24.2'

user Python installations found:

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.9.20',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '6.8.0-47-generic',
 'platform_system': 'Linux',
 'platform_version': '#47~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Oct  2 '
                     '16:16:55 UTC 2',
 'python_full_version': '3.9.20',
 'python_version': '3.9',
 'sys_platform': 'linux'}

System environment variables:

PATH
HOSTNAME
TERM
LANG
GPG_KEY
PYTHON_VERSION
PYTHON_SHA256
HOME
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

PATH: /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG: C.UTF-8

Contents of Pipfile ('/tmp/Pipfile'):

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
sh = "*"

Contents of Pipfile.lock ('/tmp/Pipfile.lock'):

{
    "_meta": {
        "hash": {
            "sha256": "f9adf532d46f4787b6afe331abe415d5698ef7523cd6225605328b61f361d427"
        },
        "pipfile-spec": 6,
        "requires": {},
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "sh": {
            "hashes": [
                "sha256:7e27301c574bec8ca5bf6f211851357526455ee97cd27a7c4c6cc5e2375399cb",
                "sha256:bf5e44178dd96a542126c2774e9b7ab1d89bfe0e2ef84d92e6d0ed7358d63d01"
            ],
            "index": "pypi",
            "markers": "python_full_version >= '3.8.1' and python_version < '4.0'",
            "version": "==2.1.0"
        }
    },
    "develop": {}
}

The text was updated successfully, but these errors were encountered:

matteius · 2024-11-05T01:04:19Z

@chrisgavin PR opened with additional test case if you wouldn't mind having a look. CC @oz123

chrisgavin · 2024-11-05T07:27:03Z

Thanks @matteius! That was quick. I can confirm this fix seems to do the job on the project I was having the issue on.

Bumps the non-major-dependencies group with 2 updates: [pipenv](https://github.com/pypa/pipenv) and [mkdocs-material](https://github.com/squidfunk/mkdocs-material). Updates `pipenv` from 2024.3.1 to 2024.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/pipenv/releases">pipenv's releases</a>.</em></p> <blockquote> <h2>Release v2024.4.0</h2> <h2>What's Changed</h2> <ul> <li>correct regression in --skip-lock by <a href="https://github.com/matteius"><code>@matteius</code></a> in <a href="https://redirect.github.com/pypa/pipenv/pull/6304">pypa/pipenv#6304</a></li> <li>Vendoring Fall 2024 by <a href="https://github.com/matteius"><code>@matteius</code></a> in <a href="https://redirect.github.com/pypa/pipenv/pull/6293">pypa/pipenv#6293</a></li> <li>Vendor in pip==24.3.1 by <a href="https://github.com/matteius"><code>@matteius</code></a> in <a href="https://redirect.github.com/pypa/pipenv/pull/6292">pypa/pipenv#6292</a></li> <li>Add new paths to front of PATH by <a href="https://github.com/sanders41"><code>@sanders41</code></a> in <a href="https://redirect.github.com/pypa/pipenv/pull/6307">pypa/pipenv#6307</a></li> <li>Prevent regression with install upgrading packages; duplicated sources in Pipfile prevention by <a href="https://github.com/matteius"><code>@matteius</code></a> in <a href="https://redirect.github.com/pypa/pipenv/pull/6309">pypa/pipenv#6309</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/sanders41"><code>@sanders41</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/pipenv/pull/6307">pypa/pipenv#6307</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pypa/pipenv/compare/v2024.3.1...v2024.4.0">https://github.com/pypa/pipenv/compare/v2024.3.1...v2024.4.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pipenv/blob/main/CHANGELOG.md">pipenv's changelog</a>.</em></p> <blockquote> <h1>2024.2.0 (2024-11-05)</h1> <h1>Pipenv 2024.2.0 (2024-11-05)</h1> <h2>Bug Fixes</h2> <ul> <li>Fix regression where <code>--skip-lock --dev</code> was incorrectly searching Lockfile categories ("default", "develop") instead of Pipfile categories ("packages", "dev-packages"), causing packages to not be found. <code>[#6304](pypa/pipenv#6304) <https://github.com/pypa/pipenv/issues/6304></code>_</li> <li>Fix issue where pipenv install would unintentionally upgrade packages that had wildcard (*) specifiers in the Pipfile, even when locked versions existed and no upgrade was requested. <code>[#6306](pypa/pipenv#6306) <https://github.com/pypa/pipenv/issues/6306></code>_</li> <li>Fix issue where modules could not be found <code>[#6307](pypa/pipenv#6307) <https://github.com/pypa/pipenv/issues/6307></code>_</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Vendor in <code>pip==24.3.1</code>. <code>[#6292](pypa/pipenv#6292) <https://github.com/pypa/pipenv/issues/6292></code>_</li> <li> <h2>Vendoring</h2> <ul> <li>Update vendored dependencies: <ul> <li>importlib-metadata from 8.4.0 to 8.5.0</li> <li>packaging from 24.0 to 24.1</li> <li>tomli from 2.0.1 to 2.0.2</li> <li>tomlkit from 0.12.4 to 0.13.2</li> <li>zipp from 3.18.1 to 3.20.2 <code>[#6293](pypa/pipenv#6293) <https://github.com/pypa/pipenv/issues/6293></code>_</li> </ul> </li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pipenv/commit/1dc28bd54b24862263262b8ef4b819ce22656984"><code>1dc28bd</code></a> Release v2024.4.0</li> <li><a href="https://github.com/pypa/pipenv/commit/d77bf2d3b1f49381561c3e75fc24baa1f11dccdf"><code>d77bf2d</code></a> Bumped version to 2024.4.0.</li> <li><a href="https://github.com/pypa/pipenv/commit/b9e9885ac3e788b0e103519fce7cc87ffb49f55e"><code>b9e9885</code></a> fix ruff</li> <li><a href="https://github.com/pypa/pipenv/commit/95f3af13f44fddc12ef03b05d1471c592130f421"><code>95f3af1</code></a> fix my new test</li> <li><a href="https://github.com/pypa/pipenv/commit/8b3a057da7dfa6aac4dbd507a53cae896b459339"><code>8b3a057</code></a> Add news fragment and test case</li> <li><a href="https://github.com/pypa/pipenv/commit/ea63719929c3ea70180ff61f9f0cb6f1317b6e0f"><code>ea63719</code></a> Prevent issue with upgrading when no packages are specified to install. Pre...</li> <li><a href="https://github.com/pypa/pipenv/commit/2383420af227da66edd50c838aa9abf0f70cb306"><code>2383420</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pipenv/issues/6307">#6307</a> from sanders41/pipdeptree</li> <li><a href="https://github.com/pypa/pipenv/commit/65c8c5bacb9fda4d13b2cff6bbe373a45a96f787"><code>65c8c5b</code></a> Add news file</li> <li><a href="https://github.com/pypa/pipenv/commit/95028e0669e44945ce6407b5091fd7a88bc04e2c"><code>95028e0</code></a> Add new paths to front of PATH</li> <li><a href="https://github.com/pypa/pipenv/commit/5a519796556af5957d125ebd29b2dfc36956882b"><code>5a51979</code></a> Vendor in pip==23.3.1</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pipenv/compare/v2024.3.1...v2024.4.0">compare view</a></li> </ul> </details> <br /> Updates `mkdocs-material` from 9.5.43 to 9.5.46 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/releases">mkdocs-material's releases</a>.</em></p> <blockquote> <h2>mkdocs-material-9.5.46</h2> <ul> <li>Added support for removing <code>preload</code> hints in privacy plugin</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7734">#7734</a>: Code blocks in h5 headlines are uppercased</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7725">#7725</a>: Blog plugin crashing on missing timezone (9.5.45 regression)</li> </ul> <p>Thanks go to <a href="https://github.com/nejch"><code>@nejch</code></a> and <a href="https://github.com/perpil"><code>@perpil</code></a> for their contributions</p> <h2>mkdocs-material-9.5.45</h2> <ul> <li>Reduced size of Docker image through multi-stage build</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7708">#7708</a>: Blog plugin crashing on YAML dates with timezones</li> </ul> <p>Thanks go to <a href="https://github.com/FrancoisCapon"><code>@FrancoisCapon</code></a> and <a href="https://github.com/perpil"><code>@perpil</code></a> for their contributions</p> <h2>mkdocs-material-9.5.44</h2> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7672">#7672</a>: Font CSS 404's when using privacy plugin (9.5.43 regression)</li> </ul> <p>Thanks go to <a href="https://github.com/nejch"><code>@nejch</code></a> for their contributions.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG">mkdocs-material's changelog</a>.</em></p> <blockquote> <p>mkdocs-material-9.5.46 (2024-11-25)</p> <ul> <li>Added support for removing preload hints in privacy plugin</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7734">#7734</a>: Code blocks in h5 headlines are uppercased</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7725">#7725</a>: Blog plugin crashing on missing timezone (9.5.45 regression)</li> </ul> <p>mkdocs-material-9.5.45 (2024-11-20)</p> <ul> <li>Reduced size of Docker image through multi-stage build</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7708">#7708</a>: Blog plugin crashing on YAML dates with timezones</li> </ul> <p>mkdocs-material-9.5.44 (2024-11-05)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7672">#7672</a>: Font CSS 404's when using privacy plugin (9.5.43 regression)</li> </ul> <p>mkdocs-material-9.5.43 (2024-10-31)</p> <ul> <li>Added support for external images in SVGs in privacy plugin</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7651">#7651</a>: Privacy plugin doesn't handle quoted URLs in CSS</li> </ul> <p>mkdocs-material-9.5.42 (2024-10-20)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7625">#7625</a>: Invalid encoding of boolean attributes in privacy plugin</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7624">#7624</a>: Crash when disabling privacy plugin (9.5.41 regression)</li> </ul> <p>mkdocs-material-9.5.41 (2024-10-15)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7619">#7619</a>: Improved tooltip on logo disappears after instant navigation</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7616">#7616</a>: Race condition in built-in privacy plugin when inlining assets</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7615">#7615</a>: Comments and "Was this page helpful?" visible when printing</li> </ul> <p>mkdocs-material-9.5.40 (2024-10-10)</p> <ul> <li>Updated Latvian translations</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7597">#7597</a>: Social cards not using site name on home page</li> </ul> <p>mkdocs-material-9.5.39+insiders-4.53.14 (2024-09-29)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7567">#7567</a>: Empty headlines when using typeset plugin with anchorlinks</li> </ul> <p>mkdocs-material-9.5.39 (2024-09-29)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7226">#7226</a>: not staying on page when using mike's canonical versioning</li> </ul> <p>mkdocs-material-9.5.38 (2024-09-26)</p> <ul> <li>Added Albanian translations</li> </ul> <p>mkdocs-material-9.5.37 (2024-09-25)</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/b88d1f0eb9ef97c37d7eebabd131a415285249a8"><code>b88d1f0</code></a> Prepare 9.5.46 release</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/b3f1eb27fe4ff3f050a84173b0c998323bb120c1"><code>b3f1eb2</code></a> Fixed uppercasing of code blocks in H5 headlines</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/226321e48bc3d1faadc0e0c0802aab43980b7d6d"><code>226321e</code></a> Updated dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/6a0a790e8f42c757bf89b5cbb941f4d1146e676d"><code>6a0a790</code></a> Added preload hints in privacy plugin replacements (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7733">#7733</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/eee4934efdf21f6d3bc576afd02a63cf96485299"><code>eee4934</code></a> Fixed blog plugin crashing on missing timezone (regression) (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7730">#7730</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/0947f73db3900d190b545b2f704b1e9b2bc3c3cc"><code>0947f73</code></a> Prepare 9.5.45 release</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/a08809a0f3e43187aadb9017204171bfa40b3548"><code>a08809a</code></a> Fixed blog plugin crashing on dates with timezones (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7708">#7708</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/d4f0b6693fc911278ceabeda5f21a71f8ff0b9b4"><code>d4f0b66</code></a> Added Caption extension to JSON schema (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/7718">#7718</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/51c9f9acb013836910f8e190ca5041f16f09e643"><code>51c9f9a</code></a> Updated dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/596aeea30abedef3cb7b629defe4cbbec1332965"><code>596aeea</code></a> Updated link for Material Design Icons</li> <li>Additional commits viewable in <a href="https://github.com/squidfunk/mkdocs-material/compare/9.5.43...9.5.46">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

matteius added the triage label Nov 1, 2024

matteius self-assigned this Nov 4, 2024

matteius added Type: Regression This issue is a regression of a previous behavior. Priority: High This item is high priority and should be resolved quickly. labels Nov 5, 2024

matteius mentioned this issue Nov 5, 2024

Prevent regression with install upgrading packages; duplicated sources in Pipfile prevention #6309

Merged

2 tasks

oz123 closed this as completed in #6309 Nov 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`pipenv install` not respecting lock file since 2024.3.1 release. #6306

`pipenv install` not respecting lock file since 2024.3.1 release. #6306

chrisgavin commented Nov 1, 2024

matteius commented Nov 5, 2024

chrisgavin commented Nov 5, 2024

pipenv install not respecting lock file since 2024.3.1 release. #6306

pipenv install not respecting lock file since 2024.3.1 release. #6306

Comments

chrisgavin commented Nov 1, 2024

Issue description

Expected result

Actual result

Steps to replicate

matteius commented Nov 5, 2024

chrisgavin commented Nov 5, 2024

`pipenv install` not respecting lock file since 2024.3.1 release. #6306

`pipenv install` not respecting lock file since 2024.3.1 release. #6306