When a flexible requirement is present in the dependency tree, pip does not respect hard-pinned requirements further down the tree

[FragLegs]

A flexible requirement at one point in the dependency tree will override a non-flexible requirement further down. A concrete example (where all dependencies are specified in each project's setup.py install_requires) is presented below. I am installing from a private pypi repository, although I don't think that has anything to do with the issue.

ProjectA(v0.0.3) depends on ProjectB==1.2.3 and skll==0.23.1
ProjectB(v1.2.3) depends on ProjectC==0.3.13
skll(v0.23.1) depends on scikit-learn>=0.14
ProjectC(v0.3.13) depends on scikit-learn==0.15.1

Running pip install -i myprivatepypi.com ProjectA==0.0.3, you will wind up with the latest scikit-learn (currently 0.16.1) instead of 0.15.1. The following message appears in the stdout:

Collecting scikit-learn>=0.14 (from skll==0.23.1->ProjectA==0.0.3) Downloading https://myprivatepypi.com/scikit-learn-0.16.1.tar.gz (7.3MB)

There is no mention of downloading or installing scikit-learn==0.15.1 as specified by ProjectC and pip freeze shows that, in fact, scikit-learn==0.16.1 has been installed.

This behavior happens in pip 6.1.1 and 7.1.0.

[qwcode]

this is a dupe of #988

there is a workaround for this though using requirements files. see use case #2 here: https://pip.pypa.io/en/stable/user_guide.html#requirements-files

in your requirements file, you'd have:

ProjectA==0.0.3
scikit-learn==0.15.1