Sorry for the length, this is a pretty intricate pipenv situation.
At my company we are using pipenv (with both Pipfile and Pipfile.lock) to control packages used on different engineers' laptops. This is even more important for us than for most teams because we're also using Zappa to deploy AWS Lambda code, and it apparently packages the dependencies directly from the deployer's laptop to deploy them. So if people's laptops aren't totally aligned in terms of dependencies, we can get different behavior in the cloud depending on who deployed it.
We have found that even after attempting to fully control dependencies with Pipfile and Pipfile.lock, we end up getting different Python packages on our different laptops, as shown by pip freeze and as indicated by errors in deployed code.
Here is the exact process that is showing differences between my laptop and my boss's (the Pipfile code I quote is on multiple lines but I'm condensing it to one line because I'm having trouble with SO formatting):
- At the very beginning, all we had was a
Pipfilewith packages specified with wildcards like[requires] python_version = "3.6" [packages] flask = "*". Also, we didn't have aPipfile.lock, my boss (who was the first coder on this project) had always run--skip-lock - To control things better, I started by upgrading our
Pipfileto replace the wildcards with explicit versions and also make our Python version more specific, like[requires] python_version = "3.6.4" [packages] Flask = "==1.0.2". To do this, I got a copy of my boss'spip freezeoutput and copied the versions into thePipfilewhere there was a name match with what was listed there (I skipped anything that didn't match because I assumed it was an upstream dependency and we weren't touching that yet). I committed this. - We were still having problems, so we decided to start using
Pipfile.lockto control upstream dependencies. So my boss created one by runningpip installwithout--skip-lockfor the first time, and committed that. - I pulled the
Pipfile.lock, deleted my environment withpipenv --rmand recreated it withpipenv install - We both ran
pip freezeand compared outputs, but we both still have a number of differences.
I suppose I can have my boss delete his pipenv environment and reinstall based on the committed Pipfile and Pipfile.lock, but since they are based on his pip freeze I would be a little surprised if that changed anything.
So I'm just wondering: is this behavior truly unexpected? I always thought the combination of pipenv, Pipfile, and Pipfile.lock would guarantee two people have the same packages, as long as every version is locked with ==[version]. Is there anything else we would need to do to get a very exact match?
If it's truly unexpected, the only other thing I can think is that maybe he hadn't run pipenv shell before his pip freeze, but I think he did because things lined up well against the Pipfiles.
Side note: I haven't converted our [dev-packages] in Pipfile to have versions because I'm not sure what that does and I'm assuming it's irrelevant. So those are still like pylint = "*"
from differences between users even after using Pipfile and Pipfile.lock with explicit versions
https://www.wizweb.in
ReplyDeleteWizweb Technology is a leading software development company custom website design, software development, SMS Provider, Bulk sms, transactional sms, promotional sms, mobile app development, Hosting Solution, seo(search engine optimization) and Digital marketing etc.