Why --lock-only flag logic removed?

[Grommash9]

I can see in that commit:

6ac1451

The logic from flag lock-only was removed and now we have that flag but it is doing nothing at all, why? Should we fix that?

The sense of that flag is to not update the Pipfile if we don't want to include some packages in it

[Grommash9]

How can I create MR? I am not able to create a branch

[matteius]

The easier question first -- you'd have to fork to create a branch and open a PR.

IIRC correctly, the functionality was removed to fulfill the idea that all specifiers come from the Pipfile: #5818

The problem with something like --lock-only is it will get overwritten with the next lock if it doesn't originate from a Pipfile specifier.

[Grommash9]

How can we update only one sub-dep package? For example idna for requests, I don't want to include it into Pipfile and I don't want to update all the packages, are we able to update only one?

I don't want to add sub-deps into Pipfile because at some point my packages can stop using them and I will be still installing that sub-deps for years

[Grommash9]

An you can see on my photo I am trying to merge changes from my fork main into repo main

[matteius]

I think the problem with --lock-only was that subsequent actions would revert back whatever sub-dependency without it originating from a proper specifier somewhere in the Pipfile. It could be added back, but I am not sure how one would account for that flaw.

[Grommash9]

It would be amazing to add it back and maybe add a warning message? So people will know the consequences of using that flag. In my case it’s very useful and we even trying to use outdated version to use that flag