pipenv: why to run pipenv lock when lock file is automatically created wheneven i install a package

Question

Pipenv:

I found at https://realpython.com/pipenv-guide/ that to tranfer the project to development i have to run

pipenv lock 

(to update/create the Pipfile.lock file)

As per my understanding whenever we install any package using

pipenv install django

Pipfile.lock is automatically generated/updated.

So whats the need to do

pipenv lock

isnt the Pipfile.lock always the updated.

of course in case i want to create .lock file at any time (by chance if its delete) i may do pipenv lock

Also if by chance the pipfile is deleted can i recreate it again.

Answer 1

It ensures that the dependencies are defined before you start/continue installation -

From https://pipenv.readthedocs.io/en/latest/basics/#pipenv-lock

$ pipenv lock is used to create a Pipfile.lock, which declares all dependencies (and sub-dependencies) of your project, their latest available versions, and the current hashes for the downloaded files. This ensures repeatable, and most importantly deterministic, builds.

Answer 2

You're right that the Pipfile.lock has already been created when installing the virtual environment or some packages. As far as I understand, the goal would be to update all your dependencies before entering production.

But I think against the documentation you should not update the Pipfile.lock at this stage, unless you're very confident in your CI pipeline and your test framework, because it could potentially deploy in production some untested dependency version Remember that pipenv lock will not install on your development machine the update dependencies, and if you rerun your tests without pipenv sync you will not test the updated dependencies. I prefer locking once and for all the dependencies at a early stage, then keep it until deployment, then after the deployment update the dependencies and begin the next version.

That's also why I am very careful with pip install <package> , because it will also automatically update all your dependencies, while I would prefer that pipenv tries to keep all the other dependency versions unchanged, unless specifically specified or clash between dependency versions.

Answer 3

let me explain this more clearly say you are working on a project where you are using pandas version 2.9.5 and this is the latest version of pandas in the pipfile - you will see entry

pandas = "*"

here the * means latest version of pandas but in pipfile.lock it will not be represented by * but it will be a deterministic 2.9.5 (pipfile.lock is deterministic file)

today 2.9.5 is the latest version but tomorrow we may get 2.10 which may not be compatible with your project.

you do not move pipfile from testing environment to production - you always move pipfile.LOCK to the production environment, this makes sure that the version are locked at the particular mentioned version and not at * (latest version). I hope I am clear.