jazzband / pip-tools

A set of tools to keep your pinned Python dependencies fresh.
https://pip-tools.rtfd.io
BSD 3-Clause "New" or "Revised" License
7.74k stars 612 forks source link

Add information that pip-compile takes into consideration previously generated output-file #2122

Open Kankarollo opened 2 months ago

Kankarollo commented 2 months ago

What's the problem this feature will solve?

During solving one of dependency conflicts I've discovered that pip-compile takes into consideration previously generated output file. I had following error when executing pip-compile to update jupyter/requirements-tools.txt file:

Command failed: pip-compile --no-emit-index-url --output-file=jupyter/requirements-tools.txt jupyter/requirements-tools.in requirements.in --upgrade-package=twisted==24.7.0
  ERROR: Cannot install -r requirements.in (line 30) because these package versions have conflicting dependencies.
Discarding incremental==22.10.0 (from -r jupyter/requirements-tools.txt (line 300)) to proceed the resolution
  ERROR: Cannot install opentelemetry-instrumentation-django and opentelemetry-instrumentation-psycopg2 because these package versions have conflicting dependencies.
Discarding opentelemetry-instrumentation==0.45b0 (from -r jupyter/requirements-tools.txt (line 453)) to proceed the resolution
  ERROR: Cannot install opentelemetry-instrumentation-django and opentelemetry-instrumentation-psycopg2  because these package versions have conflicting dependencies.
...

After many tries and errors I've discovered that if I just removed the previous jupyter/requirements-tools.txt issue was solved, I could narrow it to the specific internal library in jupyter/requirements-tools.txt but the point is that I had no idea that pip-compile is taking in any consideration previous output file and by intuition if I see name --output-file I don't consider it to have impact on input. Looked through documentation and couldn't find information about that. I must admit that I'm not sure if I understand logic behind that also. I presume that pip-compile tries to create minimum update of file to be compliant with requirements.in or other constraints files but in case of conflicts I'm suprising that it chooses to raise error instead of updating more packages.

Describe the solution you'd like

In documentation it should be better explained that pip-compile takes previous output-file into consideration and why is doing that. Additionally it would be good to apply flag that allows to force-update this file. We are using renovate with pip-compile in our repositories and it failes often because of this issue.

Alternative Solutions

We can modify renovate execution to always clean previous output file of pip-compile but that it's workaround, not solution to the issue.

Additional context

I didn't go into the depth of working of pip-compile and pip-tools, so maybe I miss some general basic logic here. Maybe it's not output-file per se that is taking into consideration but something else that it's somehow connected to it. If that's the case I'm your humble student and ask for explanation of how it works or where should I look into the code/documentation for better understanding.

Kankarollo commented 2 months ago

What is that? First time see a spam/phishing bot attacks in some github issue.

WhyNotHugo commented 2 months ago

They're pretty common. Apparently they're bots leaving links to [what I presume is] malware.

WhyNotHugo commented 2 months ago

What command where you running in the above situation?

Kankarollo commented 2 months ago

@WhyNotHugo

pip-compile --no-emit-index-url --output-file=jupyter/requirements-tools.txt jupyter/requirements-tools.in requirements.in --upgrade-package=twisted==24.7.0

Missed to copy that line in Error output. Already edited.