pipenv check looks at installed packages, not Pipfile.lock #5600
Labels
Contributor Candidate
The issue has been identified/triaged and contributions are welcomed/encouraged.
Type: Enhancement 💡
This is a feature or enhancement request.
Use Case
I would like to run
pipenv check
as a separate job from the build/test job inside a CI pipeline without rebuilding environment. I discovered that I must actually install all packages to apipenv
environment before usingpipenv check
. Ideally, I should be able to scan the dependencies insidePipfile.lock
without actually installing the whole environment.I believe its misleading that right now
pipenv
is just acting as a "proxy" tosafety
, and by default checks an environment that may not matchPipfile.lock
. By usingpipenv check
the assumption should be that it is checking the environment specified inPipfile.lock
and if you need to check an environment that deviates, you usesafety
directly.I've traced the behavior down to these lines:
pipenv/pipenv/core.py
Lines 2900 to 2902 in 8939c86
Instead of generating the temp
requirements.txt
file from the current environment usingpip list
, can we instead generate the temprequirements.txt
fromPipfile.lock
? Something likeWorkaround
I'm currently using the following workaround in my CI job, but would like to go through
pipenv
directly.pipenv requirements --dev | safety check --stdin
The text was updated successfully, but these errors were encountered: