-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a way to allow explicit overrides of subdependency versions of top level packages in pipfile #1921
Comments
Your best bet currently is to put the dependency you want to override in |
I think this is a pretty legit concern btw - I spent about a week upgrading
all the little packages inside and outside my company that inaccurately
pinned stuff so we could finally use pipenv.
Not sure there’s a great solution per se (except for fixing all the
setup.py’s of the world)
…On Thu, Apr 5, 2018 at 7:33 PM Dan Ryan ***@***.***> wrote:
Your best bet currently is to put the dependency you want to override in
dev-packages -- these will be overridden by dependencies in packages. So
you can put the library that requires pyopenssl==0.13 in dev-packages and
then pin pyopenssl==0.14 in packages and you should be able to pipenv
lock --dev and pipenv install --dev with no problems
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1921 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABhjqwcuJV6tzMDkoDzBgHaErSE0Y_b4ks5tltQVgaJpZM4TIyH->
.
|
In my very humble opinion, the solution would be to handle it like pip does, let me (the developer of an application that uses a library) decide if I want to take the risk of using a newer version of a sub-dependency, under all the disclaimers of the world.
Thank you for this workaround @techalchemy, I'll see if I can make it work like that. However this was but a minuscule example, there are other use cases (a newer version of Flask to use a new feature, or other dependencies for the same reason... the bigger the app, the bigger the chance I'd need to override something), it feels kind dirty solving it like that. Perhaps a new section called overrides to handle this? All that'd be needed is for pipenv to not "break" when it encounters a conflict if the dependency is listed here? Or maybe a simple argument to skip this validation and just use the newest found? |
Yeah I agree, I left this issue open because I don't like workarounds and I think it is the best issue we've had on the topic in terms of articulating the exact nature of what would be desired here, and precisely why the current behavior can't accommodate it. If I touched the issue and I didn't close it, I was already somewhat convinced |
I just ran into this myself, where a package requires an outdated version of |
Since requirements.txt is mentioned I want to mention that it being easy to override is not exactly a good thing. Generally you want to detect incompatibilities ahead of time. Say if
This setup would never work. So I’d want [packages]
django = ">=2.0"
django-myuberplugin = "*" instead of overriding the sub-dependency, resulting in a broken (and potentially subtly buggy) environment. I’m not objecting to a way to override subdependency versions—although I’d be satisfied if a tool does not allow it. The version conflict should be resolved by the package maintainer (in this example the author of django-myuberplugin). If a way is provided, it needs to be explicit, and make it clear it is the user’s intention to do so. Something like this could work: [packages]
django = { version = ">=2.0", override = ["django-myuberplugin"] }
django-myuberplugin = "*" |
@techalchemy would you like me to propose a PR for this? I'm far from an expert in python (I only started working with it about 2.5 months ago) but I can give it a try. If so, which solution would you prefer? A new section at the dev-packages level with a list of overrides maybe? |
I think @uranusjr's suggestion of an override at the level of individual package<->requirement pairs would make sense, since that can be read as "use this dependency declaration to override the corresponding declaration for these other packages". So you'd still need to do the detective work to figure out which packages are causing conflicts, but once you've found them, you could work around the issue immediately in |
Yeah this feels like a pipfile level change— an extra package argument like |
After discussing this, I think we want to go with |
I don’t think it is the same. Please open a new issue. |
I have an interesting issue which seems to be a dependency resolution problem (or circular dependency somewhere) — or a case for overriding/enforcing dependencies of dependencies. My objective is to replicate the setup of a vendor (done on a remote server), so I am using Python and pipenv locally to install the required software — down to the Python version. And most of this works great! When I am done, I have incompatibilities though (errors from the I started with a clean install, trying to figure out how or where the In my case, it turns out that one of the dependencies lists a dependency on So I am guessing that it's impossible to go back and fix releases, especially those 1+ year old, etc.. But how to deal with it in the present? I thought I'd add this as another use-case of where to override dependencies in packages. Maybe the output could be improved to list which dependency requested the output? Or something like "select lowest version" or "honour Pipfile"? Selecting the lowest version ( I am also confused a bit by the output, "successfully installed", followed by "unable to resolve dependencies".
|
The thing is, installation is not the same as dependency resolution. If all you care about is installation, pip already has you covered. If you don't want your dependencies to get obliterated by one another in the process of serially installing them, then dependency resolution is rather important. In any event, all you've shown is your attempt at pinning a version of |
@techalchemy my problem is that even though I pinned The problem of the constraints is not something that you can fix. That's PRs to the individual projects, etc.. The problem is that it didn't honour my pinned version. It just upgraded it. Maybe that's a different issue? If so I apologise for adding noise here. (And yes, I ran |
@till, the previously proposed solutions would roughly allow you to specify that the particular package's dependency on I generally like the idea of being able to override a particular individual thing, a single package's requirement for another package/version. I would note that there are various possible things you may want to express when overriding though so a general solution that let's you specify a substitute requirement including regular version specifiers and even multiple dependencies would be good.
So it's really like we want to be able to take the existing dependency, say Now we get more complicated because really this should probably be reviewed if the package with the overridden dependency ends up at a new version... In other words, a notification/warning/error in this case would be helpful. Good fun. This seems like a messy rabbit hole but I can't convince myself that it's not an important use case. There's too much room for opinion and pragmatic 'there will be errors' to just say 'go fix the original package'. |
@altendky yes, that! ;) It's a follow the white rabbit thing! :D On a more serious note, I realise the problem is also with the packages I am using. E.g. "Your Pipfile contains
It just doesn't do that at all, instead I had broken code. Maybe that doesn't introduce a whole world of new hurt to this project? Then I can still figure out how to make things work, which is not ideal (for me), but would have been much more straight forward. The |
@techalchemy, I like your suggestion. I would be really useful to me right now if I could use azure-cli = { {version = ">=2.0.66", ignore = ["cryptography"] } because of setup.py dependency errors like Azure/azure-cli#9629. |
Thanks for bringing this back up -- I've spent a lot of time thinking this over and I currently am happy we never implemented this. I think that since the tool we maintain is That means that if you specify a pin in your pipfile, I'm thinking we should probably raise a warning or something to let you know that it is in conflict with something else we encountered, but to prefer the explicit dependency you provided and assume you are doing so to override something else. Currently, pipenv has a significant usability issue around this and I encounter it myself somewhat regularly -- it's pretty challenging to override a conflict you know is invalid. That's not something I'm ok with & I feel the best approach (per @altendky's insights above among others) is to just allow overrides. /cc @ncoghlan @uranusjr -- this is mainly a UX concern on the design here because it definitely needs to be possible |
This project seems to be unmaintained so we can't expect the upstream to allow more recent versions of Sphinx for us. This relaxes the dependency requirement on Sphinx to allow sphinx-jsondomain to be used with Sphinx v2+. This is necessary as Pipenv currently can't overrule sub-dependency versions: pypa/pipenv#1921.
I think this is grabbing the donkey by the wrong end. The dependency that we want to override is not on [packages]
django = ">=2.0"
django-myuberplugin = { version = "*", override=["django>=2.0"] } That clearly says to me that the project:
For reference, I came across this issue when trying to work out a way to use a library ( |
To me the two are the same intention expressed differently (using the same keyword):
FWIW both makes sense to me and I don’t have a preference either way. But the more important issue here is to find someone interested in actually implementing this; design details don’t really matter otherwise 😛 |
I am running into the same issue between two of my dev-packages.
which is a non-breaking constraint (API-wise) because only the license changed between 1.2 and 1.3 Unfortunately @techalchemy 's workaround did not work for me, so I resorted to pinning Is there still any plan to implement explicit overrides? Looks like there was some discussion in this thread but it fizzled out with no resolution. If resources are lacking, I'm also happy to take a stab at a prototype to jumpstart this feature. |
Would it be an option to bring this up to either |
@uranusjr That's a fair point, thanks for pointing that out. That aside, how do pipenv maintainers feel about this override feature? I'd imagine that this situation comes up quite often, as this thread and other GH issues have alluded to. |
It comes up semi-often. I've had to sometimes spend days trying to track down the maintainers of some package dependencies and ask/beg them to widen their proverbial net, so to speak. |
Isn't the new dependency resolution enforced by the latest versions of pip making this issue a no-go? This started as "pip permits this overrides" but AFAIU this won't be so anymore and I don't see how pipenv could work around that in any way. |
I think @timorthi 's point about Given that this is fully based on user experimentation however, it should be up to the programmer to determine what sub-dependencies from the package described in the Pipfile should be included. This can simply be done by including those packages themselves in the Pipfile.
|
On the topic of drop in replacements, this is already supported in NPM 8 via overrides. It's also something that's required for GPL/LGPL compliance (although falling back to pip in that case also works). |
This is a really important use-case to consider and most other package managers handle this case. Why was this closed as "not planned" without addressing this need? |
I apologize if this was raised before, but if it was I was unable to find it.
We're trying to start using pipenv but we ran into a use case in which we'd need to override a declared version of a library in another library, knowing well that the first library would continue to work with the newer version even though it declares a specific one.
For context, the problem is that a library requires pyopenssl==0.13, but in high sierra the minimum version that works is 0.14 because of the OpenSSL version (cloudera/hue#205) so we need to force at least that version
Right now we have our project working because pip supports overriding depedencies: pypa/pip#988 (comment)
However with pipenv, I'm having problems.
If I explicitly install a version that is higher than the one declared in a library, I get a conflict error
So I'd need pipenv to let me override a version, taking full responsibility about the depedency that could potentially not work but willing to take the risk.
Is there a way to do that already? If not, could this be added as a feature request?
The text was updated successfully, but these errors were encountered: