Comments (15)
I think this would be pretty trivial to detect, just bake a hash of the Pipfile
into Pipfile.lock
.
from pipfile.
This of course runs the risk of getting an "outdated" false positive for non-semantic changes like adding a comment or something. If we get to a place that it's possible to safely parse the Pipfile
then you can make that better by making it a hash on the data that was parsed out of the Pipfile
rather than on the Pipfile
itself. Same idea just more targeted to changes that actually matter.
from pipfile.
Good idea, actually. I'll keep this issue open until this is implemented ;)
from pipfile.
Also it may be useful to store the hash of lock file itself, along with the hash of Pipfile data
from pipfile.
Having a hash in Pipfile.lock
will likely make it painful to work with git (if committed).
Example 1:
- I add flask to my
Pipfile
and create aPipfile.lock
(works) - I create a feature branch and add
sqlalchemy
(works) - I add a new dependency
requests
to master (works) - I merge my
sqlalchemy
branch (merge conflict, sha mismatch)
Example 2:
- I'm working on a bigger migration from
celery 3
tocelery 4
in a feature branch. - In the meantime
Django
issues a new security release and I'm updating myPipfile
andPipfile.lock
- celery 4 is finally ready to be merged, I'm getting
Pipfile.lock
merge conflicts
Example 3:
- I'm using automated tools to update my dependencies in their own branches, one at a time
- I'm getting merge conflicts all over the place as soon as more than one update is available
The only way around that would be to tell people to never ever commit their Pipfile.locks
, or to remove the hash.
from pipfile.
@jayfk Is resolving a one-line merge conflict really that big of a deal nowadays with GitHub's web interface for conflict resolution? Valid point though.
Maybe the hash could be external to the file and not committed? Pipfile.hash
? I dunno.
from pipfile.
@SethMichaelLarson the problem is you need to recalculate the hash every time since both hashes are incorrect at the time you merge your feature branch.
from pipfile.
@jayfk So it's possible to get around that by doing something like instead of a hash, baking the contents of Pipfile
itself into the Pipfile.lock
, in this way you'd end up with cleaner diff (although it doesn't solve the abstract problem of merge conflicts that can still happen and require a way to deal with them).
So I guess it comes down to whether taking up extra disk space by duplicating all of the contents of the Pipfile
inside the Pipfile.lock
and still needing a conflict resolution workflow sometimes is a better solution than using less disk space but pretty much always needing some sort of conflict resolution workflow.
from pipfile.
So it's possible to get around that by doing something like instead of a hash, baking the contents of Pipfile itself into the Pipfile.lock, in this way you'd end up with cleaner diff (although it doesn't solve the abstract problem of merge conflicts that can still happen and require a way to deal with them).
Using this approach, the main benefit is that a human is able to resolve the merge conflict pretty easily.
Using a hash requires you to resolve the merge conflict locally by regenerating the Pipfile.lock
through the CLI.
from pipfile.
Using this approach, the main benefit is that a human is able to resolve the merge conflict pretty easily.
Using a hash requires you to resolve the merge conflict locally by regenerating the Pipfile.lock through the CLI.
IMO despite fixing conflicts in Pipfile.lock
manually is fast and available from GitHub, this is quite error-prone approach. It is often much easier to resolve conflicts in main file and generate lockfile, than resolve much larger chunks of diff in lockfile.
The only way around that would be to tell people to never ever commit their Pipfile.locks, or to remove the hash.
Maybe the hash could be external to the file and not committed? Pipfile.hash? I dunno.
These files must be in vcs, otherwise they are useless, aren't they?
from pipfile.
I can already see the broken builds and "fix: Forgot to build Pipfile" commits waiting to happen.
Isn’t this sort of things caught by running tox before pushing?
from pipfile.
I don't see this as a problem at all, my workflow is similar to what I think Pipfile wants to achieve.
I have a set of unpinned requirements files and a fully pinned requirements.txt generated with a Makefile, the generated requirements.txt
is the "production" version, if you modify any of the requirements files it's because you add something new or remove something, and that's when @merwok comment comes to light, you set up a tox environment that runs tests installing only your requirements.txt
packages (and the ones needed for testing exclusively), so your tests will fail and you won't be able to commit.
from pipfile.
- You don't always have 100% coverage, so, theoretically, these errors can pass unnoticed. But tox will always be able to detect hash mismatch, because package manager will fail
- If your project is quite large, you don't like to run a whole test set on your machine, instead you switch to builds per pull request or even nightly builds
from pipfile.
Pipenv auto-locks after you modify the Pipfile.
from pipfile.
This has been fine, in practice.
from pipfile.
Related Issues (20)
- Link additional Pipfiles from root one
- Skip lock on a single dependency HOT 4
- Pipfile.lock() is not idempotent
- Security Vulnerability Alerts (in examples/Pipfile.lock) HOT 5
- Pipenv take wrong Pipfile
- AttributeError while using inject_environment_variables function
- typo in line 136
- Rename 'master' branch to 'main' HOT 3
- pip2 install python
- - [ ] @monkeyhammercopiseded #165 HOT 5
- pipfile-spec in Pipfile
- Docs url is unreachable
- Publish a wheel for `pipfile`
- how to specific version in extras of pipfile?
- Support git+ssh source package repositroy
- ااا
- http://example.edu/tt
- Ggg
- how to add dependencies from other sources instead of pypi? HOT 1
- OSS-Fuzz Integration Inquiry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pipfile.