pip-compile ignores existing output file if --output-file is specified #1358
Comments
|
Thanks for the report! I think you mixed up But the behavior you want is what I usually see. Can you provide a testable example?
httpx$ pip-compile --no-header reqs.in
certifi==2020.12.5
# via httpx
h11==0.12.0
# via httpcore
httpcore==0.12.3
# via httpx
httpx==0.17.1
# via -r reqs.in
idna==3.1
# via rfc3986
rfc3986[idna2008]==1.4.0
# via httpx
sniffio==1.2.0
# via
# httpcore
# httpx$ $EDITOR reqs.in
httpx<0.17.1
sniffio<1.2.0$ pip-compile --no-header reqs.in
certifi==2020.12.5
# via httpx
h11==0.12.0
# via httpcore
httpcore==0.12.3
# via httpx
httpx==0.17.0
# via -r reqs.in
idna==3.1
# via rfc3986
rfc3986[idna2008]==1.4.0
# via httpx
sniffio==1.1.0
# via
# -r reqs.in
# httpcore
# httpx$ echo httpx >reqs.in
$ pip-compile --no-header -P sniffio reqs.in
certifi==2020.12.5
# via httpx
h11==0.12.0
# via httpcore
httpcore==0.12.3
# via httpx
httpx==0.17.0
# via -r reqs.in
idna==3.1
# via rfc3986
rfc3986[idna2008]==1.4.0
# via httpx
sniffio==1.2.0
# via
# httpcore
# httpxAre you sure your package requirements are as loose as you expect? |
|
In your workaround steps at the end of your report, you shouldn't need to do numbers 1, 2, or 5. |
|
Apologies for the extremely buggy original post. I think I've tracked down some of the errors, but please let me know if it needs more tidying to make sense for posterity (or feel free to edit if you have permissions!) Thank you very much for 1) confirming the expected behavior 2) providing a minimal example. That's extremely helpful, and has allowed me to narrow it down to behavior caused by If I run your example I get the same results. But if I change the last command to specify --output-file then httpx is upgraded: Is this a bug? Or is |
mikepqr
changed the title
|
I think I'm generally pretty confused about the role of any existing requirements.txt file when compiling a requirements.in. There may or may not be bugs here, but it's not obvious from the docs IMO. |
Via |
|
Ah, got it. Is there any way to create a lockfile, while respecting the contents of an existing lockfile, without overwriting that existing lockfile? |
|
Can you provide a testable example? |
|
Sure. Starting from this in reqs.in: and this in reqs.txt This command does what I want (i.e. upgrades sniffio, and leaves everything else unchanged): This command also does what I want: But they both overwrite the existing lockfile. This command writes a reqs0.txt in which everything has been upgraded (which is httpx and sniffio at the time of writing): And this command upgrades nothing (but changes the So, my question is: is there any way to create a lockfile, while respecting the contents of an existing lockfile, without overwriting that existing lockfile? I don't think it's relevant, but just in case you think I'm being pedantic, here's why I want to do this. My requirements are mounted into a docker container. If I overwrite inside the container they are then owned by root on the docker host. I can solve this but it's going to involve a bunch of fiddly |
Yes, the simple solution is copy the lockfile you'd like to use as a base to the destination, before running pip-compile: $ cp reqs.txt reqs0.txt
$ pip-compile reqs.in -o reqs0.txt |
|
Ha! I've been staring at this problem for so long, and never really felt like I understood what --output-file did, so that never occurred to me. Perfect, thanks! I do find --output-file's behavior (or more generally the role of the existing requirements.txt file) non-obvious, and I wonder if it's worth spelling out in the docs that it is not so much a pure output file, but rather the lockfile which will be used as input if it exists? |
Feel free to open a PR 👍 |
|
Happy to! Before I get started, is there any scope for renaming the option (and changing all references in UI strings) to |
This commit adds an explanation of the role of existing requirements.txt files to the README. I found this very unclear and opened #1358 because of my confusion. The existing short note that requirements.txt "might interfere" didn't really help me. I'm not sure how common my confusion is, but I hope my changes make things clearer to new users (assuming what I've written is in fact correct!) (In addition to my additions, I moved the "Updating requirements" section up in the doc, since it seems like a core workflow.)
Personally, I'm I'll close this since #1369 clears how pip-tools works with output files and it doesn't look like there's any other action required regarding pip-tools. Thanks for the issue! |
What's the problem this feature will solve?
This may be a supported workflow, in which case I'd be happy to submit a PR to add it to the README if someone can help me understand what the intended steps are!
Suppose I have:
foodepends onbaz>=3.0andbardepends onqux>=4.0so that when I runpip-compile requirements.inI get:But then there's a CVE against
bar==3.0and I want to upgrade it to 3.1. So I runpip-compile --upgrade-package baz==3.1, which yields:baz has been upgraded as requested, but foo and bar remain pinned as in the requirements file. That's all great. But
quxhas been upgraded too, because bar follows best practices by not overpinning its qux dependency, and qux happens to have released a new version. This is not what I want in this case. I want to upgrade only baz.Describe the solution you'd like
I guess I'm asking for an
--upgrade-only-packageoption that does what I want, but this seems like such a common use case that I assume I'm missing something!Alternative Solutions
Right now I simply edit the
bazline in requirements.txt by hand in cases where it doesn't contain hashes.When requirements.txt does contain hashes I do an insane set of manual steps that involves:
baz==3.1in the new requirements.inThe text was updated successfully, but these errors were encountered: