-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Pipfiles #197
Comments
+1. Pyup should be able to read |
any update ? |
Just moved to Pipfile on a few projects. Totally forgot about pyup |
is there any schedule for supporting Pipfiles? |
I'll chime in as another who would love pipfile support. They're fantastic! I'm planning on switching all my personal projects to use pipfiles. |
How exactly are you currently using pipenv in your projects? Are you pinning your dependencies in your |
I'd say the usage is similar to other package managers that use a lock file like composer (or npm more recently):
|
My usage is slightly different for applications, but not my much. I don't pin versions in the Pipfile (I use "*" to match all), but I do commit the lockfile. That way I get the same deterministic installs across environments, but it's also easy to upgrade all packages and second-order dependencies with I first learned about this "requirements-to-freeze" design philosophy in an article on Kenneth Reitz website here and adapted it to pipfiles. I agree with what @chris48s said regarding pipfiles in packages. |
I also recommend to commit the lock file for application (you want to freeze all the dependencies so when user installs the python application, it installs exactly what the developer validated). For libs, you don't commit the lock files. I also generate manually the |
Okay, I'm currently working on basic support for Pipfiles. Still need to write some tests, but it's looking good so far. One thing that will be horrible to support though is the combination pinned I wrote about this potential issue in pypa/pipfile#9 (comment). |
hash is optional, you may not update it (just safer) |
I've just pushed experimental support for pipenv to pyup.io. If you are using the CLI, you'll need to install from master. To enable it, simply add your Pipfiles to your
The update should cover most of pipenvs workflows, but there are some caveats:
Other than that, it should be pretty usable. |
I see the following error (link):
|
Thank you for your work on this!
Unfortunately this is a blocker for us, since we have a few deps that have to be held back (eg
Is it just the overall lockfile hash that remains unchanged, or the per-package hashes? With our current requirements files, we make use of pip's hash-checking mode, so would need the latter. What impact does not updating the overall lockfile hash have? |
hash is not that mandatory (it's the pypi server that exposes these hash). They however allow verification of integrity of the retrieve packet. For the range/freeze syntax issue, it is kind of mandatory, limiting for any reason some version is perfectly legit, especially when need to banish a corrupted or vulnerable version. |
Hey @jayfk! First of all, thanks for your great work! is there a chance to see full hash & range support in pyup in a near future? No pressure, just wondering so we can plan things around. |
For me |
Pipfiles are on its way to be a thing.
It'd great if pyup could support this as soon as the internal API is stable: pypa/pipfile#57
The text was updated successfully, but these errors were encountered: