-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add flag to only install packages explicitly requested #12958
Comments
I'm a bit confused. If pip downgraded numpy, it's because one of the packages you installed declared that it depended on Footnotes
|
I beleive the standard way to handle this workflow is to resolve your packages ahead of time install time. Using a And if you need to override requirements of packages, uv explicitly supports that: https://docs.astral.sh/uv/concepts/resolution/#dependency-overrides Or am I missing something about what you need? |
Sorry, I provided too much context that was a distraction!
Correct, but I would like it to fail the install and tell me why, rather than do the downgrade.
This is not necessarily true, there are a lot of packages out there that pessimistically put upper caps on dependencies1 and it is trivial to have an environment that has in-practice incompatible packages (as in the code does not run properly) that the metadata says should be OK. That is cool that uv has This flag would also be useful for other packaging ecosystems to replace things like
if h5py were to ever gain an extra dependency2 and we missed it in updating runtime dependencies this command would happily work and we should distribute broken binary artifacts. If we had I'm sure the compile workflow works for some people, but I do not think everyone can be shoe-horned into it (for example doing cross-library development or if you use some other packaging ecosystem for your base environment). Footnotes
|
OK, that makes more sense. I think we'd need to see more evidence that this is a common requirement, though. We can't just add a new option to pip whenever someone comes up with something that would be useful to them - we need to consider the costs vs the benefits.
I'm sorry, and I know you won't like this answer, but that's a bug in the package dependency metadata, then. If A says it doesn't work with B, but it does, then A's metadata is at fault, not pip for believing what A said.
I don't think it's reasonable to assume that all installers will implement the same feature sets. And I definitely don't think you should "start with pip for political sequencing issues" - much better to start with the installer that is the best match for your use case (which may well be Moving away from broad matters of policy, I don't think this is suggestion is a good fit for pip. We don't have dependency overrides, we have a policy of expecting package metadata to be correct and reliable, and the use cases seem to me more around "manually managing lists of dependencies" than "installing packages". I'm going to leave this issue open, to give the other maintainers a chance to give their views (which may well differ from mine) but personally, I'm against this idea. |
One way of looking at this could be, --no-deps should still solve dependencies. After all, the option describes itself as "Don't install package dependencies". It doesn't say anything about permitting to create a broken install -- and it does indeed create a broken install, if dependencies aren't available and it installs one wheel. Maybe changing that would be too big of a breaking change for existing workflows. Still, it's an interesting thing to think about... |
I think this would also go a long way to helping prevent issues when using
I think |
What's the problem this feature will solve?
When installing a package with
pip install foo
any required dependencies will also be installed, including possibly downgrading or upgrading already installed packages. In some contexts (such as when usingpip
to install into externally managed or are using a virtual environment but want to keep careful control of what is installed) it is preferable for the install to fail with an error.Describe the solution you'd like
I think something like
with an entry in
pip install help
like:Ideally the error message on failure would also tell you what packages / versions the resolver requested and which of the explicitly requested package is the source of that dependency.
This patch implements the requested behavior (without any attempt to thread through the configuration or a nice error message):
Alternative Solutions
--no-deps
prevents any extra packages from being installed, but throws the baby out with the bathwater by doing no checking at all. It is preferable to catch issues with changing or conflicting dependencies at install time than at runtime.Additional context
I've been using a version of the patch above locally for about a year and it has been very useful.
How I originally discovered the need for this was during the lead up to numpy 2.0. I wanted to test what projects were actually broken with numpy2, so I built an environment with it, started to install things that depended on numpy who had followed the guidance of numpy and the pip helpfully down-graded my numpy to a 1.x version defeating my goal (I went a good while before I noticed this and was very happy with how few issues there were 🤦🏻 ).
The proposed feature is something I use to help catch when things like this happen again (mostly due to projects that (in my view) cap too hard) but for my use case I would rather know and deal with it.
Code of Conduct
The text was updated successfully, but these errors were encountered: