`pipenv install` not respecting lock file since 2024.3.1 release.

chrisgavin commented 3 weeks ago

Issue description

When running pipenv install using pipenv 2024.3.0, my lockfile appears to be respected and the correct dependency versions from it are installed. When doing the same with 2024.3.1, far newer versions of the dependencies are installed.

Expected result

The versions specified in the lock file should be used.

Actual result

The latest version of dependencies are installed instead.

Steps to replicate

To reproduce I've made this Dockerfile.

FROM python:3.9
WORKDIR /tmp/
RUN pip install pipenv==2024.3.1
RUN cat <<EOF > Pipfile
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
sh = "*"
EOF
RUN cat <<EOF > Pipfile.lock
{
    "_meta": {
        "hash": {
            "sha256": "f9adf532d46f4787b6afe331abe415d5698ef7523cd6225605328b61f361d427"
        },
        "pipfile-spec": 6,
        "requires": {},
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "sh": {
            "hashes": [
                "sha256:39aa9af22f6558a0c5d132881cf43e34828ca03e4ae11114852ca6a55c7c1d8e",
                "sha256:75e86a836f47de095d4531718fe8489e6f7446c75ddfa5596f632727b919ffae"
            ],
            "index": "pypi",
            "version": "==1.14.1"
        }
    },
    "develop": {}
}
EOF
RUN pipenv install
RUN (pipenv graph | grep 1.14.1) || (pipenv graph && false)

When building this Dockerfile the build fails on the last stage as pipenv has not installed sh 1.14.1 and instead used sh 2.1.0.

The problem does not reproduce if the pipenv version is changed to 2024.3.0, or the --deploy flag is added to the install command.

$ pipenv --support

Pipenv version: `'2024.3.1'` Pipenv location: `'/usr/local/lib/python3.9/site-packages/pipenv'` Python location: `'/usr/local/bin/python3.9'` OS Name: `'posix'` User pip version: `'24.2'` user Python installations found: PEP 508 Information: ``` {'implementation_name': 'cpython', 'implementation_version': '3.9.20', 'os_name': 'posix', 'platform_machine': 'x86_64', 'platform_python_implementation': 'CPython', 'platform_release': '6.8.0-47-generic', 'platform_system': 'Linux', 'platform_version': '#47~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Oct 2 ' '16:16:55 UTC 2', 'python_full_version': '3.9.20', 'python_version': '3.9', 'sys_platform': 'linux'} ``` System environment variables: - `PATH` - `HOSTNAME` - `TERM` - `LANG` - `GPG_KEY` - `PYTHON_VERSION` - `PYTHON_SHA256` - `HOME` - `PIP_DISABLE_PIP_VERSION_CHECK` - `PYTHONDONTWRITEBYTECODE` - `PYTHONFINDER_IGNORE_UNSUPPORTED` Pipenv–specific environment variables: Debug–specific environment variables: - `PATH`: `/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin` - `LANG`: `C.UTF-8` --------------------------- Contents of `Pipfile` ('/tmp/Pipfile'): ```toml [[source]] url = "https://pypi.org/simple" verify_ssl = true name = "pypi" [packages] sh = "*" ``` Contents of `Pipfile.lock` ('/tmp/Pipfile.lock'): ```json { "_meta": { "hash": { "sha256": "f9adf532d46f4787b6afe331abe415d5698ef7523cd6225605328b61f361d427" }, "pipfile-spec": 6, "requires": {}, "sources": [ { "name": "pypi", "url": "https://pypi.org/simple", "verify_ssl": true } ] }, "default": { "sh": { "hashes": [ "sha256:7e27301c574bec8ca5bf6f211851357526455ee97cd27a7c4c6cc5e2375399cb", "sha256:bf5e44178dd96a542126c2774e9b7ab1d89bfe0e2ef84d92e6d0ed7358d63d01" ], "index": "pypi", "markers": "python_full_version >= '3.8.1' and python_version < '4.0'", "version": "==2.1.0" } }, "develop": {} } ```

matteius commented 2 weeks ago

@chrisgavin PR opened with additional test case if you wouldn't mind having a look. CC @oz123

chrisgavin commented 2 weeks ago

Thanks @matteius! That was quick. I can confirm this fix seems to do the job on the project I was having the issue on.

pypa / pipenv