# Install pipenv

**`pipx install pipenv`**

![image.png](attachment:937b0729-d1ef-48be-a1f4-fb73fb5fb0ba.png)

# Installing dependencies using pipenv

**`pipenv install arrow`**

![image.png](attachment:1e544b97-fb2f-4bd5-8b07-0470a361aa45.png)

![image.png](attachment:6b944725-01e6-434f-89a3-a3135df5f009.png)

When we install dependencies it does multiple things:

* It creates a virtual environment in a separate folder called **.vitualenvs** with a unique name bound to this folder. 
So that pipenv will know later that the virtual environment belongs to which project. This means that, if we move or rename the project then pipenv will not be able to find this project environment that it has created.

* It also install the dependencies in the environment and creates two files:
    * **Pipfile**
    * **Pipfile.lock**

![image.png](attachment:e92076de-796d-4db7-9485-39d8fc134a5a.png)


## Pipfile

The `pipfile` is in the `toml` file format just like `pyproject.toml` and it has sections with square brackets.

 It starts with a source block which tells pipenv the package repository to use.

In the packages section, we see our dependency arrow, and because we haven’t specified any version while installing. 

That’s why, it has “`*`” in the place of version which means any version will do.

The **dev-packages** section for development-specific dependencies.

![image.png](attachment:36a5fd9e-8ebf-495e-bd75-7508dcc57cb2.png)

# Pipfile.lock

This is where pipenv stores the exact versions of every single package installed including the sub-dependencies.

So this is what `pipenv` uses to make the dependency tree deterministics.

So the **`Pipfile`** contains abstract dependencies, and the **`Pipfile.lock`** contains all the detailed versions of all sub-dependencies.

Editing **`Pipfile`** is okay but the **`Pipfile.lock`** should only be managed by `pipenv`.

Whenever we install a new package using `pipenv`, the new package will gets added to **`Pipfile`**, but `pipenv` also generates a completely new **`Pipfile.lock`** file.

> **NOTE:**
> * *Everytime we install something new, the entire dependency tree is generated and stored in the lock file because there are might be different version needed for some sub-dependencies. And just like pip, resolving an entire dependency tree and locking process with pipenv can take quite some time.*
> * *Even if you install something with no sub-dependencies and shouldn’t change the rest of the tree, but still pipenv resolve the entire dependency tree again and generates the lock file.*
> * *This is one of the criticism pipenv gets a lot.*

![image.png](attachment:8de0c1cc-182b-4c66-b1c1-59c630bd5268.png)

# Pipenv workflow

Now we’ll look at the typical workflow of using `pipenv`.

![image.png](attachment:a55849f0-fe43-4e14-a861-301c2985d62f.png)

Consider you’ve cloned a python project from Git Hub which contains both `pipfile` and `pipfile.lock`. 

Note that the project doesn’t have a virtual environment yet.

Now run → `pipenv sync`. 
* This will install everything from the lock file. 
* Now we have the required packages installed.

![image.png](attachment:e8a4e22e-f018-4d05-8813-61f04bdb8463.png)

 Now run → `pipenv graph`, to check the entire dependency tree along with the dependencies as well as their sub-dependencies, version specifiers and the installed versions.

![image.png](attachment:379035df-2d7d-4029-af39-b8f237d7c48f.png)

If we check the `pipfile` we'll find that the package/dependency called **black** has not been installed as per the dependency tree shown above.

The reason for **black** dependency not getting installed is that **black** has been listed as a development dependency.

![image.png](attachment:d3c0633f-f29b-4c22-9eb2-f4daa9c9d9b3.png)

To install development dependencies use the `-d` switch with `pipenv sync` command as follow → `pipenv sync -d`

The `-d` switch tells `pipenv` to install all development dependencies as well as the default dependencies.

![image.png](attachment:52ffde0d-bde8-45c4-b9be-bffaa76aca20.png)

Now we cannot run black right now as we’re not in the active environment.

To run things with `pipenv` from outside the virtual environment, we have the following options:
```
pipenv run black script.py    # here we're running black against the script.py
pipenv run python script.py    # To run the script.py itself
```

Or, we can start a shell with the active environment using `pipenv shell` and now we can run things just like in any other environment.
```
pipenv shell
python script.py
```

![image.png](attachment:2a0d39a0-791d-4040-a9bd-34434438fc2a.png)

Now sometimes we have a tool that doesn’t understand the **pipfile** but it does understand the `requirements.txt` file.

The `pipenv` also allows to create of a `requirement.txt` for such scenarios → `pipenv requirements`

![image.png](attachment:2da60b68-da17-406c-afaa-222ea59d9d06.png)

And in case, you need development requirements too, you can add `--dev` switch.

![image.png](attachment:c97237fe-a2d0-42f2-9e08-da47f91ac157.png)

# Pipenv: Keeping packages upto date

The pipenv also offers a way to keep our packages up to date. Also, pipenv can run security checks for the packages.

For example, let's say we have an older version of `Flask` with some security problems, and one of its dependencies called `Werkzeug`, also has an older version with some vulnerabilities on its own.
```
pipenv check      # To run security scan on installed dependencies
```
![image.png](attachment:0c40da82-9d99-4aa0-9e32-d5a029218d91.png)

![image.png](attachment:4a789fe5-b259-4744-ae65-215b6c4c7e97.png)

By looking at the `pipfile`, we found that only `Flask` dependency is there and `Werkzeug` is just a sub-dependency.

![image.png](attachment:7aab82ac-450d-4153-95ee-f74c8b3b8f7e.png)

So we’ll just update the `Flask` dependency and install the latest version of `Flask` and its sub-dependencies, which will fix the problem with both `Flask` & `Werkzeug`.
```
pipenv update flask
```

![image.png](attachment:771c10a7-716b-4ab4-95a2-2310fc062d34.png)

To update everything, that is all dependencies and sub-dependencies, run
```
pipenv update       # This will udpate all top-level and sub-dependencies
```

# Review: pipenv

![image.png](attachment:0b9f74ed-df48-4614-8e9f-211fe917dd14.png)

![image.png](attachment:c5f8a467-c3c3-4c04-882e-762117f5d45f.png)

![image.png](attachment:803a0bf4-b875-4e28-b4fb-a45a5e2703ab.png)

![image.png](attachment:559b55a5-b2dd-40f2-b829-0e4907f3d02f.png)