updating system requirements may result in pypi dependencies being outdated

[akhmerov]

Checks

• I have checked that this issue has not already been reported.

• I have confirmed this bug exists on the latest version of pixi, using pixi --version.

Reproducible example

(for linux)

mkdir system_requirements && cd system_requirements
pixi init
pixi add python
pixi add --pypi cryptography
pixi install
pixi workspace system-requirements add glibc 2.17
pixi install # already installed
grep "cryptography" pixi.lock | head -n1 | sed 's!.*/!!'
pixi update # only now updates cryptography to use a matching wheel
grep "cryptography" pixi.lock | head -n1 | sed 's!.*/!!'

outputs (note the difference between the wheel versions)

✔ Created /home/anton/tmp/system_requirements/pixi.toml
✔ Added python >=3.13.7,<3.14
✔ Added cryptography >=46.0.0, <47
Added these as pypi-dependencies.
✔ The default environment has been installed.
✔ The default environment has been installed.
cryptography-46.0.0-cp311-abi3-manylinux_2_28_x86_64.whl
Environment: default              
  ~ P cryptography    46.0.0  ->  46.0.0
cryptography-46.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl

Issue description

If system requirements are updated, pixi doesn't realize that locked pypi packages don't meet the requirements until pixi update is run.

Expected behavior

In the script above, I would expect that the second pixi install realizes that the lockfile doesn't specify the spec and updates it, so the version before and after pixi update should be the same.

[Hofer-Julian]

Thank you so much @akhmerov for opening this issue.
I can reproduce this locally.
This is pretty bad, and we'll put this high on our priority list.

[benmoss]

I just noticed the same issue exists for non-pypi dependencies as well. If I have pytorch as a conda dependency and then add a cuda system-requirement, pixi lock doesn't update the lockfile. I have to run pixi update to have it switch from the CPU build of pytorch to the CUDA build.