Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipenv does not uninstall packages erased from Pipfile or Pipfile.lock #3052

Closed
Laski opened this issue Oct 17, 2018 · 3 comments
Closed

pipenv does not uninstall packages erased from Pipfile or Pipfile.lock #3052

Laski opened this issue Oct 17, 2018 · 3 comments

Comments

@Laski
Copy link

Laski commented Oct 17, 2018
edited
Loading

Issue description

In order to produce really deterministic builds / reproducible environments, pipenv needs to delete packages that were uninstalled in other environments of the same project. But even if pipenv uninstall correctly updates the Pipfile.lock, pipenv sync (in another environment) fails to uninstall the package.

This seems like a serious concern to me, as it can hide huge differences between environments. This brings problems when one creates a new, tabula rasa environment and something that worked breaks, because it depends on a package that was absent from the lockfile.

Expected result

pipenv uninstalls from the environment the packages not present in the Pipfile.lock.

Actual result

pipenv keeps the "dirty" package, possibly contaminating builds.

Steps to replicate

Easiest way to replicate is to install a package through pip (which does not change Pipfile.lock) and then doing a pipenv sync. This simulates the situation of a shared lockfile that gets changed in one environment (deleting a package) with pipfile ignoring the change.

On an empty directory, run

pipenv install
pipenv shell
pip install Unidecode
pipenv sync

cat Pipfile.lock outputs:

{
    "_meta": {
        "hash": {
            "sha256": "415dfdcb118dd9bdfef17671cb7dcd78dbd69b6ae7d4f39e8b44e71d60ca72e7"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {},
    "develop": {}
}

but pip freeze outputs:

Unidecode==1.0.22

instead of the expected
@uranusjr
Copy link
Member

This is intended because the community used to pip is not comfortable with auto-removal. Use pipenv clean to remove unspecified packages instead. Documentation pull request regarding this behaviour is welcomed.

@mheberlein
Copy link

mheberlein commented Nov 10, 2018
edited
Loading

I also expected pipenv sync to, well, synchronize the environment to Pipenv.lock.
Now trying Laski's repro steps but pipenv clean still doesn't remove Unidecode.

I'm on Windows 10, Python 2.7.15 x64, Pipenv 2018.10.13.

Edit: Sorry, just found #3104 and will wait for the next release.

@codingjoe
Copy link

This is intended because the community used to pip is not comfortable with auto-removal. Use pipenv clean to remove unspecified packages instead. Documentation pull request regarding this behaviour is welcomed.

@uranusjr are we really certain about this assumption? Some users may come from JavaScript, where npm ci behaves differently. Besides, if people wanted to use pip and be happy about it, they probably wouldn't switch to Pipenv. Maybe it's worth exploring this idea after all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@uranusjr @mheberlein @codingjoe @Laski