serverless/serverless-python-requirements

Plugin not compatible with =>2022.8.13 of pipenv

tylerzisk opened this issue · 4 comments

Issue Description

Currently the plugin is not compatible with any version of pipenv > 2022.8.13 as they have changed how the requirements.txt command is used.

The plugin currently calls pipenv lock --requirements --keep-outdated and starting with 2022.8.13 they have removed the -requirements and --keep-outdated flags and consolidated to pipenv requirements.

Not blaming the plugin as this seems like a very dumb and breaking change on part of the maintainers of pipenv.

The current workaround I have employed to my company's codebases is to set the install step of pipenv to use version 2022.8.5, as it is the last with the old syntax usage:

pip install pipenv==2022.8.5

Per their documentation:
Screen Shot 2022-08-15 at 1 22 14 PM

I'd recommend calling pipenv requirements --hash as the equivalent of this. Maybe the hash is a new feature but it helps maintain the protection against package confusion attacks.

I'm now doing this manually before calling serverless package though I also have to delete my pipfile and pipfile.lock as part of the build to make sure that this plugin uses the requirements.txt instead of the pipfile

A temporary workaround to solve this issue is to install the plugin through the PR branch with

npm install andidev/serverless-python-requirements#support-latest-pipenv

A temporary workaround to solve this issue is to install the plugin through the PR branch with

npm install andidev/serverless-python-requirements#support-latest-pipenv

Hey, I've added a PR to fix an issue I've hadd with git packages being the sources.

I'm closing as #718 should resolve the issue