pip-compile bumps setuptools within commented-out spec #973
Comments
|
Hello @PeterJCLaw, Sorry, I didn't quite understand what you are trying to achieve and how you use pip-compile in that way. Could you add more details, attach the |
|
@atugushev sorry, yeah, on reflection I didn't include enough info. I've updated the description -- does that help? |
|
I see. The option |
|
Aha, thanks. I wasn't aware of that option -- I'll check that out. I think it would still be useful if there was a solution here which didn't involve doing something considered unsafe. |
This gave me an idea to add a mention about $ echo -e "six\nsetuptools" | pip-compile - -qo- --generate-hashes
The generated requirements file may be rejected by pip install. See # WARNING lines for details.
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile --generate-hashes --output-file=- -
#
six==1.12.0 \
--hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \
--hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73
# WARNING: The following packages were not pinned, but pip requires them to be
# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
# setuptools==41.5.0 |
The solution might be to unpin unsafe packages without $ echo setuptools | pip-compile - -qo-
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile --output-file=- -
#
# The following packages are considered to be unsafe in a requirements file:
# setuptoolsAnd pin unsafe packages with echo setuptools | pip-compile - -qo- --allow-unsafe
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile --allow-unsafe --output-file=- -
#
# The following packages are considered to be unsafe in a requirements file:
setuptools==41.5.0 |
atugushev
added
enhancement
|
I've submitted #975 which implements #973 (comment). Please, review/test it if you have time. |
FTR, it was already discussed before, see #276 (comment), and fixed in #294, but looks like it has been broken later unintentionally. |
|
@atugushev thanks for fixing this, do you know when this will be available in a release? ( |
|
@PeterJCLaw here is the tracking issue #1005. We'll release it very soon. |
|
|
|
Awesome, thanks! |
If you have a
requirements.inwhich contains a package which depends onsetuptools, for example:Then after running
pip-compile, you get:As you can see,
pip-compilerefuses to includesetuptoolsdirectly in a generatedrequirements.txt, instead adding a section with the comment "The following packages are considered to be unsafe in a requirements file:".This behaviour is fine in the general (and I don't disagree with the comment or behaviour).
However because the commented out
setuptoolsline includes a version number, whensetuptoolsreleases an update then therequirements.txtfile ends up looking out of date.Say you had committed a
requirements.txtwhich looked like:Then
setuptoolsreleases41.5.0and now when you runpip-compileyou get:This is inconvenient if you happen to regenerate your
requirements.txtat some point after an upstream releases, however if you're also usingpip-compileto check that yourrequirements.txtis in step with yourrequirements.in(see #882) in CI then it means that your build now fails for what is essentially a non-change.I'm not sure what the right solution is here, though perhaps if there was a way for pip-compile to understand its own commented out dependency that might help?
The text was updated successfully, but these errors were encountered: