From 67cf7d0d91c079e9256be16d61c3bcb0ec2bccfc Mon Sep 17 00:00:00 2001 From: Github Action Date: Thu, 28 May 2020 04:54:23 +0000 Subject: [PATCH 1/5] Bumped version. Signed-off-by: Github Action --- pipenv/__version__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipenv/__version__.py b/pipenv/__version__.py index 24299f3f..6fa30498 100644 --- a/pipenv/__version__.py +++ b/pipenv/__version__.py @@ -2,4 +2,4 @@ # // ) ) / / // ) ) //___) ) // ) ) || / / # //___/ / / / //___/ / // // / / || / / # // / / // ((____ // / / ||/ / -__version__ = "2020.5.28" +__version__ = "2020.5.28.dev0" From 26f32513c536f96b9d897dd861ab068ed3e71eb5 Mon Sep 17 00:00:00 2001 From: Sumana Harihareswara Date: Thu, 28 May 2020 11:24:34 -0400 Subject: [PATCH 2/5] Update release process to reflect Dan's notes Towards issue #4130. Signed-off-by: Sumana Harihareswara --- 4130.trivial | 0 RELEASING.md | 25 ++++++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 4130.trivial diff --git a/4130.trivial b/4130.trivial new file mode 100644 index 00000000..e69de29b diff --git a/RELEASING.md b/RELEASING.md index 379fd975..0195b70a 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -31,6 +31,15 @@ You can begin by reviewing vendored dependencies which can be found in `pipenv/v Next you can consult `pipenv/patched/patched.txt` which enumerates the patched dependencies. Follow the same process, but be aware that you will need to rewrite patches for each dependency once you update (most likely) as they do tend to change somewhat substantially. +### Update Safety + +Pipenv also includes a vendored copy of `safety` for checking for vulnerabilities against the `pyup.io` database. In order to update the `safety` package, run the following: + +```console +$ inv vendoring.update-safety +``` + + ### Updating patches For larger libraries you can keep local clones of them and simply generate full patch sets in which you replace the updated path in pipenv when you are done making changes. Here is an example of a script used from inside a local clone of `pip` to generate a patch and copy it to pipenv's local patches directory. @@ -74,12 +83,18 @@ $ pipenv run inv vendoring.update This will automatically remove the `./pipenv/vendor/` and `./pipenv/patched/` directories and re-download and patch the specified dependencies. It will also attempt to download any relevant licenses. Once this is completed, run `git status` and inspect the output -- look through the `git diff` for anything that may cause breakages. If any licenses have been deleted, you will need to determine why they were not replaced by the license download tooling. +## Review Vendored Licenses + + Make sure to read through any modified license files for changes -- note that we cannot redistribute code that is licensed under a [copyleft](https://en.wikipedia.org/wiki/Copyleft) license, such as the [GPL](https://en.wikipedia.org/wiki/GPL). Similarly, all vendored code **must** be licensed or it cannot be redistributed. If vendored libraries have become unlicensed or are no longer usable, suitable replacements will have to be found and potentially patched into the vendored dependencies. This may be a good time to consider simply including the dependency as an install requirement. +### TODO +Look into using a tool like https://fossa.com/ to help with this. + ## Update Pipfile.lock -Now we will need to update the lockfile. You will need to run the following: +Now we will need to update the lockfile. This is required to ensure tests run against the latest versions of libraries. You will need to run the following: ```bash # use the latest python here @@ -145,9 +160,13 @@ If in doubt, follow the basic instructions below. 4. Set the version number to [a pre-release identifier](https://www.python.org/dev/peps/pep-0440/#pre-release-separators) 5. Package and upload pipenv [to PyPI](https://pypi.org/project/pipenv/#history) as a pre-release/alpha 6. Publicize on distutils-sig, pypa-dev, and the relevant GitHub issue(s) -7. Wait a week, then update version number to a canonical release and re-release on PyPI.org + a. write up diplomatic notification +7. Recruit manual testing ([example](https://pad.sfconservancy.org/p/help-test-pipenv-2020-03-26)) for workflows we don't account for +8. Wait a week, then update version number to a canonical release and re-release on PyPI.org +10. Publicize on lists, GitHub issues + ## Looking ahead -Most of the pipenv related ecosystem libraries are using [github actions](https://github.com/sarugaku/vistir/blob/master/.github/workflows/pypi_upload.yml) to automate releases when tags are pushed. Most likely we will look to move in this direction and simplify the process. +Most of the pipenv related ecosystem libraries are using [GitHub actions](https://github.com/sarugaku/vistir/blob/master/.github/workflows/pypi_upload.yml) to automate releases when tags are pushed. Most likely we will look to move in this direction and simplify the process. From 0add59f4999a56e9b6af8e9565d7fa91c55e6fa9 Mon Sep 17 00:00:00 2001 From: "Gordon P. Hemsley" Date: Thu, 28 May 2020 12:42:06 -0400 Subject: [PATCH 3/5] #4279: Stop test_ssh_vcs_install from failing Remove expectation of `version` key in `test_ssh_vcs_install` to stop it from failing. Mirrors similar change to `test_git_vcs_install` in 243b4fd0df552b7430fbaa5dadbaa4d7b322127f. --- news/4279.trivial.rst | 2 ++ tests/integration/test_install_uri.py | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 news/4279.trivial.rst diff --git a/news/4279.trivial.rst b/news/4279.trivial.rst new file mode 100644 index 00000000..3d57e01a --- /dev/null +++ b/news/4279.trivial.rst @@ -0,0 +1,2 @@ +Remove expection of ``version`` key in ``test_ssh_vcs_install`` to prevent it +from failing. diff --git a/tests/integration/test_install_uri.py b/tests/integration/test_install_uri.py index 2300ec82..534cc5e9 100644 --- a/tests/integration/test_install_uri.py +++ b/tests/integration/test_install_uri.py @@ -59,7 +59,6 @@ def test_ssh_vcs_install(PipenvInstance): assert p.lockfile["default"]["six"] == { "git": "ssh://git@github.com/benjaminp/six.git", "ref": "15e31431af97e5e64b80af0a3f598d382bcdd49a", - "version": "==1.11.0" } From 0ce098edff7e6c1efb10782cea3fca67147a40e1 Mon Sep 17 00:00:00 2001 From: Sumana Harihareswara Date: Thu, 28 May 2020 17:37:11 -0400 Subject: [PATCH 4/5] Remove pypa-dev mention in release process Per https://groups.google.com/d/msg/pypa-dev/rUNsfIbruHM/LCEx-CB5AgAJ the pypa-dev Google Group is now decommissioned. Pointing to Discourse instead. Signed-off-by: Sumana Harihareswara --- RELEASING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASING.md b/RELEASING.md index 0195b70a..752384fb 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -159,11 +159,11 @@ If in doubt, follow the basic instructions below. 3. Get credentials to co-maintain the pipenv project on PyPI.org -- **SPOF alert** 4. Set the version number to [a pre-release identifier](https://www.python.org/dev/peps/pep-0440/#pre-release-separators) 5. Package and upload pipenv [to PyPI](https://pypi.org/project/pipenv/#history) as a pre-release/alpha -6. Publicize on distutils-sig, pypa-dev, and the relevant GitHub issue(s) +6. Publicize on distutils-sig, [Discourse](https://discuss.python.org/c/packaging), and the relevant GitHub issue(s) a. write up diplomatic notification 7. Recruit manual testing ([example](https://pad.sfconservancy.org/p/help-test-pipenv-2020-03-26)) for workflows we don't account for 8. Wait a week, then update version number to a canonical release and re-release on PyPI.org -10. Publicize on lists, GitHub issues +10. Publicize on lists, Discourse, GitHub issues From 873beae5672a76a0d0179f416a97775c82bcdeb2 Mon Sep 17 00:00:00 2001 From: "Gordon P. Hemsley" Date: Fri, 29 May 2020 00:01:12 -0400 Subject: [PATCH 5/5] #4278: Don't pin wildcard versions in lockfile Fixes bug introduced by 552d1274eacbd04c61f46f639bd967d294f25e6a, which activated the (unused) changes made much earlier in a08a2da52488fa31b1e74b22211f383566fef16b. --- news/4278.bugfix.rst | 1 + pipenv/utils.py | 2 +- tests/integration/test_lock.py | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 news/4278.bugfix.rst diff --git a/news/4278.bugfix.rst b/news/4278.bugfix.rst new file mode 100644 index 00000000..21396490 --- /dev/null +++ b/news/4278.bugfix.rst @@ -0,0 +1 @@ +Fix a bug that caused non-specific versions to be pinned in ``Pipfile.lock``. diff --git a/pipenv/utils.py b/pipenv/utils.py index d008e761..ce1354cd 100644 --- a/pipenv/utils.py +++ b/pipenv/utils.py @@ -1191,7 +1191,7 @@ def get_locked_dep(dep, pipfile_section, prefer_pipfile=True): lockfile_name, lockfile_dict = lockfile_entry.copy().popitem() lockfile_version = lockfile_dict.get("version", "") # Keep pins from the lockfile - if prefer_pipfile and lockfile_version != version and version.startswith("=="): + if prefer_pipfile and lockfile_version != version and version.startswith("==") and "*" not in version: lockfile_dict["version"] = version lockfile_entry[lockfile_name] = lockfile_dict return lockfile_entry diff --git a/tests/integration/test_lock.py b/tests/integration/test_lock.py index 672fbedf..48232e60 100644 --- a/tests/integration/test_lock.py +++ b/tests/integration/test_lock.py @@ -748,3 +748,16 @@ def test_lock_nested_vcs_direct_url(PipenvInstance): assert "git" in p.lockfile["default"]["sibling-package"] assert "subdirectory" in p.lockfile["default"]["sibling-package"] assert "version" not in p.lockfile["default"]["sibling-package"] + + +@pytest.mark.lock +@pytest.mark.install +def test_lock_package_with_wildcard_version(PipenvInstance): + with PipenvInstance(chdir=True) as p: + c = p.pipenv("install 'six==1.11.*'") + assert c.ok + assert "six" in p.pipfile["packages"] + assert p.pipfile["packages"]["six"] == "==1.11.*" + assert "six" in p.lockfile["default"] + assert "version" in p.lockfile["default"]["six"] + assert p.lockfile["default"]["six"]["version"] == "==1.11.0"