pipenv: Pipfile.lock file shows different version than whats installed

Question

I have django installed using pipenv install django

I check the version of Django installed using

python -m django --version
3.0.3

So its 3.0.3

I have done pipenv lock later sometime after installing few more packages

I check the Pipfile.lock to see what django version it locks to 3.0.6

{
    "_meta": {
        "hash": {
            "sha256": "1c89f4b79e61ac01a5f1b50db6b6b0b4ba34199a99f96caf61885884b43a8b3a"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.7"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
    ....
        "django": {
            "hashes": [
                "sha256:051ba55d42daa3eeda3944a8e4df2bc96d4c62f94316dea217248a22563c3621",
                "sha256:9aaa6a09678e1b8f0d98a948c56482eac3e3dd2ddbfb8de70a868135ef3b5e01"
            ],
            "index": "pypi",
            "version": "==3.0.6"
        },
    ....
    }
    "develop": {
        ....
        "django": {
            "hashes": [
                "sha256:051ba55d42daa3eeda3944a8e4df2bc96d4c62f94316dea217248a22563c3621",
                "sha256:9aaa6a09678e1b8f0d98a948c56482eac3e3dd2ddbfb8de70a868135ef3b5e01"
            ],
            "index": "pypi",
            "version": "==3.0.6"
        },
    ....
    }

And this is my Pipfile

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]
django-extensions = "*"
ipython = "*"
werkzeug = "*"
pydotplus = "*"
django-querycount = "*"
jupyter = "*"
flower = "*"
django-request-logging = "*"

[packages]
django = "*"
psycopg2 = "*"
django-environ = "*"
celery = "*"
redis = "==3.3.11"
pyjwt = "*"
django-webpack-loader = "*"
django-rest-framework = "*"
kombu = "*"
django-otp = "*"
pyotp = "*"
gunicorn = "*"

[requires]
python_version = "3.7"

Also i checked the version from pipenv graph it shows the right installed version 3.0.3

django-environ==0.4.5
django-extensions==2.2.6
  - six [required: >=1.2, installed: 1.14.0]
django-otp==0.9.0
  - django [required: >=1.11, installed: 3.0.3]
    - asgiref [required: ~=3.2, installed: 3.2.7]
    - pytz [required: Any, installed: 2019.3]
    - sqlparse [required: >=0.2.2, installed: 0.3.0]
django-querycount==0.7.0
django-request-logging==0.7.0
  - Django [required: Any, installed: 3.0.3]
    - asgiref [required: ~=3.2, installed: 3.2.7]
    - pytz [required: Any, installed: 2019.3]
    - sqlparse [required: >=0.2.2, installed: 0.3.0]
django-rest-framework==0.1.0
  - djangorestframework [required: Any, installed: 3.11.0]
    - django [required: >=1.11, installed: 3.0.3]
      - asgiref [required: ~=3.2, installed: 3.2.7]
      - pytz [required: Any, installed: 2019.3]
      - sqlparse [required: >=0.2.2, installed: 0.3.0]
django-webpack-loader==0.7.0

So how to understand the 3.0.6 in Pipfile.lock. When i am trying to create a new virtual env using this file will my django version change from 3.0.3 to 3.0.6

Ofcourse here it may not matter. But i am afraid if version changes from 3.0.3 to 3.2.0 (its major change then)

Answer 1

Faced the same issue. I used this script to change the "*"s in your Pipfile to the actual versions in the Pipfile.lock file, as I needed specific versions.

import os
import json

# Globals
STAR = '"*"'
PIPFILE = "Pipfile"
PIPFILE_T = "Pipfile_temp"
PIPFILE_LOCK = "Pipfile.lock"

def main():
    """Entry point"""

    # Get entire Pipfile.lock file
    with open(PIPFILE_LOCK) as pipfile_lock:
        pf = json.load(pipfile_lock)

    # Get the packages
    pkgs = pf.get("default")
    pkgs_dev = pf.get("develop")
    
    # Unify them as a source
    source = {**pkgs, **pkgs_dev}

    # Parse the PipFile
    with open(PIPFILE) as pipfile:
        with open(PIPFILE_T, 'w+') as new_pip_file:
            
            # Iterate each line
            for line in pipfile:
                line = line.strip()

                # Check for stars
                if STAR in line:
                    # Get package name
                    pkg = line.split("=")
                    pkg = pkg[0].strip()

                    # Get affiliated version
                    pkg_ = source.get(pkg)
                    vsn_ = pkg_.get("version")

                    # Replace it with the version
                    tw = line.replace(STAR, f'"{vsn_}"')
                
                # Skip others
                else:
                    tw = line
                
                # Update the temp Pipfile
                new_pip_file.write(f"{tw}\n")

    # Remove old and rename temp
    os.remove(PIPFILE)
    os.rename(PIPFILE_T, PIPFILE)

main() if __name__ == "__main__" else None

Source