Git - Should Pipfile.lock be committed to version control?

Question

When two developers are working on a project with different operating systems, the Pipfile.lock is different (especially the part inside host-environment-markers).

For PHP, most people recommend to commit composer.lock file.

Do we have to do the same for Python?

Usually you just commit `requirements.txt` and exclude everything else (`env/` typically). — Arount, Sep 18 '17 at 11:42
Do I need `requirements.txt` if I am using Pipenv? the Pipfile should be enough? — Julien Le Coupanec, Sep 18 '17 at 11:59

score 94 · Accepted Answer · edited Jul 07 '21 at 15:23

94

Short - Yes!

The lock file tells pipenv exactly which version of each dependency needs to be installed. You will have consistency across all machines.

// update: Same question on github

edited Jul 07 '21 at 15:23

Al Sweigart

11,566
10
64
92

answered Sep 19 '17 at 14:38

wiesson

6,544
5
40
68

1

Thanks for the explainations – Julien Le Coupanec Sep 19 '17 at 15:00
6

The main maintainer of pipenv also recommends to commit the file (especially for applications): https://github.com/kennethreitz/pipenv/issues/598 – Julien Le Coupanec Sep 19 '17 at 22:13

Andrey Zaytsev · Answer 2 · 2022-11-23T10:37:50.713

2

NO, you should not commit Pipfile.lock because:

It will contain info on a specific build of each library. Those builds could be platform-dependent, and you don't want to share them with other developers and between environments (potentially).
It will cache your credentials used locally to install packages from private feeds.

Just a regular Pipfile should probably be enough.

edited Nov 23 '22 at 10:37

answered Nov 23 '22 at 10:36

Andrey Zaytsev

37
2

Where does the lock file cache the credentials? Other than if you use a package repo URL of the form `schema://username:password@host/path`, I don't know how it does. – Nick T Jun 28 '23 at 14:18

Git - Should Pipfile.lock be committed to version control?

2 Answers2