Pipenv does not lock dependencies when installing from URL

[haizaar]

Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.

Check the diagnose documentation for common issues before posting! We may close your issue if it is very similar to one of them. Please be considerate, or be on your way.

Make sure to mention your debugging experience if the documented solution failed.

Issue description

Pipenv does not lock dependencies when installing from URL:

mkdir /tmp/repro; cd /tmp/repro
$ pipenv install https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz#egg=uberlogging
Installing https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz#egg=uberlogging…
Collecting uberlogging from https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz#egg=uberlogging
  Downloading https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz
Collecting coloredlogs (from uberlogging)
  Using cached https://files.pythonhosted.org/packages/08/0f/7877fc42fff0b9d70b6442df62d53b3868d3a6ad1b876bdb54335b30ff23/coloredlogs-10.0-py2.py3-none-any.whl
Collecting structlog (from uberlogging)
  Using cached https://files.pythonhosted.org/packages/f0/00/0fd0ca13fa19361bec0418e4c3b6b7509048cb1fb2fa8b7cd6b3dffe13d8/structlog-18.2.0-py2.py3-none-any.whl
Collecting humanfriendly (from uberlogging)
  Using cached https://files.pythonhosted.org/packages/79/1e/13d96248e3fcaa7777b61fa889feab44865c85e524bbd667acfa0d8b66e3/humanfriendly-4.17-py2.py3-none-any.whl
Collecting python-json-logger (from uberlogging)
  Using cached https://files.pythonhosted.org/packages/3a/ed/2ba5a2dfce45fa67e0588dd6457b59ffdef7f1fdcd2c1152e085e3c9a726/python_json_logger-0.1.9-py2.py3-none-any.whl
Collecting six (from structlog->uberlogging)
  Using cached https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Requirement already satisfied, skipping upgrade: setuptools in /home/haizaar/dev/venvs/repro-2muHjEV7/lib/python3.6/site-packages (from python-json-logger->uberlogging) (40.5.0)
Building wheels for collected packages: uberlogging
  Running setup.py bdist_wheel for uberlogging: started
  Running setup.py bdist_wheel for uberlogging: finished with status 'done'
  Stored in directory: /tmp/pip-ephem-wheel-cache-nu1_rfr7/wheels/36/90/05/3401129e52691bdd63e46f78b4761dca1ff6a0c3abcb57575d
Successfully built uberlogging
Installing collected packages: humanfriendly, coloredlogs, six, structlog, python-json-logger, uberlogging
Successfully installed coloredlogs-10.0 humanfriendly-4.17 python-json-logger-0.1.9 six-1.11.0 structlog-18.2.0 uberlogging-0.0.1

Adding uberlogging to Pipfile's [packages]…
Pipfile.lock not found, creating…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (e3fb42)!
Installing dependencies from Pipfile.lock (e3fb42)…
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 1/1 — 00:00:03

Only one dependency is locked, which is already suspicious, and indeed Pipfile.lock only contains:

{
    "_meta": {
        "hash": {
            "sha256": "c244596befb340cb024baad8aee4ee9c2d66d19ef39c1c07dcc43024a8e3fb42"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "uberlogging": {
            "file": "https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz"
        }
    },
    "develop": {}
}

However pipenv graph show the dependencies properly:

$ pipenv graph
uberlogging==0.0.1
  - coloredlogs [required: Any, installed: 10.0]
    - humanfriendly [required: >=4.7, installed: 4.17]
  - humanfriendly [required: Any, installed: 4.17]
  - python-json-logger [required: Any, installed: 0.1.9]
    - setuptools [required: Any, installed: 40.5.0]
  - structlog [required: Any, installed: 18.2.0]
    - six [required: Any, installed: 1.11.0]

Expected result

Dependencies should have appeared in the Pipfile.lock.

Actual result

$ pipenv lock --verbose
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (e3fb42)!
$ cat Pipfile.lock | jq .default
{
  "uberlogging": {
    "file": "https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz"
  }
}

---

$ pipenv --support

Pipenv version: '2018.10.13'

Pipenv location: '/home/haizaar/.local/lib/python3.6/site-packages/pipenv'

Python location: '/usr/bin/python3.6'

Python installations found:

• 3.7.0: /usr/bin/python3.7
• 3.7.0: /usr/bin/python3.7m
• 3.6.6: /home/haizaar/dev/venvs/repro-2muHjEV7/bin/python3.6
• 3.6.6: /usr/bin/python3.6
• 3.6.6: /usr/bin/python3.6m
• 3.5.2: /usr/bin/python3.5
• 3.5.2: /usr/bin/python3.5m
• 2.7.12: /usr/bin/python2.7

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.6.6',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '4.15.0-36-generic',
 'platform_system': 'Linux',
 'platform_version': '#39~16.04.1-Ubuntu SMP Tue Sep 25 08:59:23 UTC 2018',
 'python_full_version': '3.6.6',
 'python_version': '3.6',
 'sys_platform': 'linux'}

System environment variables:

• LC_PAPER
• XDG_VTNR
• XDG_SESSION_ID
• LC_ADDRESS
• CLUTTER_IM_MODULE
• LC_MONETARY
• XDG_GREETER_DATA_DIR
• VIRTUALENVWRAPPER_SCRIPT
• VIRTUALENVWRAPPER_PROJECT_FILENAME
• SESSION
• GPG_AGENT_INFO
• PIP_PYTHON_PATH
• SHELL
• INFINALITY_FT_AUTOHINT_VERTICAL_STEM_DARKEN_STRENGTH
• VTE_VERSION
• TERM
• QT_LINUX_ACCESSIBILITY_ALWAYS_ON
• LC_NUMERIC
• WINDOWID
• GNOME_KEYRING_CONTROL
• UPSTART_SESSION
• GTK_MODULES
• INFINALITY_FT_CONTRAST
• USER
• QT_ACCESSIBILITY
• LC_TELEPHONE
• LS_COLORS
• UNITY_HAS_3D_SUPPORT
• XDG_SESSION_PATH
• XDG_SEAT_PATH
• SSH_AUTH_SOCK
• DEFAULTS_PATH
• VIRTUAL_ENV
• WORKON_HOME
• UNITY_DEFAULT_PROFILE
• XDG_CONFIG_DIRS
• PIPENV_ACTIVE
• PATH
• DESKTOP_SESSION
• QT_QPA_PLATFORMTHEME
• QT_IM_MODULE
• VIRTUALENVWRAPPER_HOOK_DIR
• LC_IDENTIFICATION
• JOB
• PWD
• XDG_SESSION_TYPE
• XMODIFIERS
• LANG
• GNOME_KEYRING_PID
• MANDATORY_PATH
• GDM_LANG
• LC_MEASUREMENT
• NODE_PATH
• IM_CONFIG_PHASE
• COMPIZ_CONFIG_PROFILE
• PS1
• PYTHONDONTWRITEBYTECODE
• PAPERSIZE
• GDMSESSION
• GTK2_MODULES
• SESSIONTYPE
• GITAWAREPROMPT
• XDG_SEAT
• HOME
• SHLVL
• LANGUAGE
• _VIRTUALENVWRAPPER_API
• GNOME_DESKTOP_SESSION_ID
• UPSTART_INSTANCE
• PIP_SHIMS_BASE_MODULE
• LOGNAME
• UPSTART_EVENTS
• XDG_SESSION_DESKTOP
• COMPIZ_BIN_PATH
• QT4_IM_MODULE
• XDG_DATA_DIRS
• DBUS_SESSION_BUS_ADDRESS
• LESSOPEN
• UPSTART_JOB
• INSTANCE
• DISPLAY
• XDG_RUNTIME_DIR
• INFINALITY_FT_GLOBAL_EMBOLDEN_X_VALUE
• GTK_IM_MODULE
• XDG_CURRENT_DESKTOP
• LC_TIME
• LESSCLOSE
• XAUTHORITY
• LC_NAME
• _

Pipenv–specific environment variables:

• PIPENV_ACTIVE: 1

Debug–specific environment variables:

• PATH: /home/haizaar/dev/venvs/repro-2muHjEV7/bin:/home/haizaar/.local/bin:/home/haizaar/.npm-packages/bin:/home/haizaar/bin:/home/haizaar/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
• SHELL: /bin/bash
• LANG: en_US.UTF-8
• PWD: /tmp/repro
• VIRTUAL_ENV: /home/haizaar/dev/venvs/repro-2muHjEV7

---

Contents of Pipfile ('/tmp/repro/Pipfile'):

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
uberlogging = {file = "https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz"}

[dev-packages]

[requires]
python_version = "3.6"

Contents of Pipfile.lock ('/tmp/repro/Pipfile.lock'):

{
    "_meta": {
        "hash": {
            "sha256": "c244596befb340cb024baad8aee4ee9c2d66d19ef39c1c07dcc43024a8e3fb42"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.6"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "uberlogging": {
            "file": "https://github.com/haizaar/uberlogging/archive/v0.0.1.tar.gz"
        }
    },
    "develop": {}
}

[techalchemy]

Ah good thing you said this! let me update my fix

thanks for the report!

[haizaar]

Thanks for quick response!
Do you know when the next release is expected that fixes this?

[haizaar]

I'm testing this with pipenv 2018.11.26, and the issue is still here, exactly as reported.

So I'm afraid your fix didn't work, at least for my case :(

[haizaar]

@techalchemy Reopen, as per my earlier comment?

[haizaar]

Ping reopen?

[ods]

The problem was reintroduced in f0e3bba

The fix: https://github.com/ods/pipenv/commit/9ca7543a3255e7f5c4adb1178670fa7a7ddfffc9