generate-lockfiles --sync ignores requested dependency versions

[tim-werner]

Describe the bug
In a pyproject.toml file in my repo I have set the dependencies to:
"paramiko>=3.5.0,<=4.0.0"
However, when running generate-lockfiles with the --sync flag the upper bound is ignored.

pants generate-lockfiles --resolve=python-default --sync
17:21:45.28 [INFO] Completed: Generate pex lockfile for python-default
17:21:45.31 [INFO] Wrote lockfile for the resolve `python-default` to 3rdparty/python/default.lock

Lockfile diff: 3rdparty/python/default.lock [python-default]

==                    Upgraded dependencies                     ==

  paramiko                       4.0.0        -->   5.0.0

Running the same with the --no-sync flag results into downgrading it again (respecting the pinned version, how it should be):

17:31:29.10 [INFO] Completed: Generate pex lockfile for python-default
17:31:29.13 [INFO] Wrote lockfile for the resolve `python-default` to 3rdparty/python/default.lock

Lockfile diff: 3rdparty/python/default.lock [python-default]

==                !! Downgraded dependencies !!                 ==

  paramiko                       5.0.0        -->   4.0.0

Pants version
2.32.0

OS
both?

[thiago-carbonera]

Hi, can you assign me this issue?

[tim-werner]

Hi, sorry I do not have the permissions to assign the issue. You have to ask one of the maintainers.

[benjyw]

I couldn't reproduce this. Can you create a toy github repo that demonstrates it? Thanks

[tim-werner]

Hi @benjyw,
thanks for replying. I have create a toy github repo to demonstrate the bug.

pants generate-lockfiles --resolve=python-default --no-sync -> paramiko 4.0.0 is used and the pinned versions are respected

pants generate-lockfiles --resolve=python-default --sync -> update to paramiko 5.0.0 and the pinned versions are not respected.

I can also see that in the dafault.lock.metadata file the generated_with_requirements sections picks up the correct pinned versions but the default.lock file uses the paramiko 5.0.0 version in the case of the--syncoption.

[tim-werner]

the toy exmple can be found here:

https://github.com/tim-werner/bug-report-pantsbuild-23407

[jsirois]

This is almost certainly a Pex bug dealing with the fact you have two top level requirements for the same project; 1 being open ended. That said I won't have solid time to confirm / address until ~July 1st.

[benjyw]

Once pex 2.96.1 is released you will be able to point Pants at it as described here

We'll also upgrade the default version Pants uses to this version.