Bump pipenv from 2025.0.4 to 2026.0.3 #2000
Merged
+24
−40
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/pip/pipenv-2026.0.3
branch
from
21549cf to
743344b
Compare
Member
|
@dependabot rebase |
Bumps [pipenv](https://github.com/pypa/pipenv) from 2025.0.4 to 2026.0.3. - [Release notes](https://github.com/pypa/pipenv/releases) - [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.md) - [Commits](pypa/pipenv@v2025.0.4...v2026.0.3) --- updated-dependencies: - dependency-name: pipenv dependency-version: 2026.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/pip/pipenv-2026.0.3
branch
from
743344b to
03cfc3a
Compare
edmorley
force-pushed
the
dependabot/pip/pipenv-2026.0.3
branch
from
a052c60 to
602485c
Compare
edmorley
approved these changes
Jan 8, 2026
Member
edmorley
left a comment
edmorley
left a comment
There was a problem hiding this comment.
Of note, the new version fixed several long standing Pipenv bugs around --system and Python version validation, which means that (a) we can remove some workarounds for those bugs, (b) we can now enable the commented out Hatchet test for conflicting Python versions.
Member
tolomea
reviewed
Jan 8, 2026
| # In general Pipenv's support for its `--system` mode seems very buggy. Longer term we | ||
| # should explore moving to venvs, however, that will need to be coordinated across all | ||
| # package managers and also change paths for Python which could break other use cases. | ||
| export VIRTUAL_ENV="${python_home}" |
There was a problem hiding this comment.
this appears to have broken our builds, as of a few hours ago djangos collectstatic is failing due to not being able to import certifi and packaging
Member
There was a problem hiding this comment.
@tolomea Ah strange - the test that was added at the time of the workaround is still passing (when it was failing before the workaround), so this must be a subtly different failure mode. I'm honestly pretty weary with the buginess of Pipenv. I'm very close to just deprecating support for it, now that much more reliable/well maintained (and faster) alternatives are available, such as uv.
Thank you for letting my know anyway! I'll take a closer look now.
There was a problem hiding this comment.
I'm not attached to pipenv, my predecessor choose it and nothing has pushed me to change it
Member
There was a problem hiding this comment.
That seems to be working fine, thank you
edmorley
added a commit
that referenced
this pull request
Jan 8, 2026
In #2000, Pipenv was updated to v2026.0.3, which contained a number of fixes for the historically very buggy `--system` mode. Since that release was meant to fix many of the `--system` bugs, one of the workarounds for those bugs was removed, and the existing tests for that bug still passed. However, it appears that the bug still exists in some form that was not being picked up by the original testcase, as reported in: #2000 (comment) It seems the bug now only reproduces with different versions of the `certifi` package, so I've updated the test fixture accordingly. (My first thought was that perhaps the difference is whether our testcase's `certifi` matches the Pipenv vendored version exactly or not, however, varying to another older version also didn't reproduce?). I've also added `packaging` as another testcase dependency, in the hope that in the future at least one of these packages will be able to reproduce the issue, should we try and remove the workaround again. Longer term, these continual Pipenv bugs are making me inclined to deprecate/strongly discourage Pipenv usage, given there are now much more reliable/better maintained/faster alternatives (such as uv). GUS-W-20819376.
edmorley
added a commit
that referenced
this pull request
Jan 8, 2026
In #2000, Pipenv was updated to v2026.0.3, which contained a number of fixes for the historically very buggy `--system` mode. Since that Pipenv release was meant to fix many of the `--system` bugs, one of the workarounds for those bugs was removed, since even without it the existing tests for that bug still passed (implying the upstream fixes had worked as expected). However, it appears that the bug still exists in some form that was not being picked up by the original testcase, as reported in: #2000 (comment) As such, I've had to re-add the workaround. This also affects the logs, since in the new Pipenv version, if `PIPENV_VERBOSITY="-1"` is set (which is required to stop an obnoxious multi-line warning about a venv being present), then the `Installing dependencies from ...` line is no longer printed. It seems the bug now only reproduces with different versions of the `certifi` package, so I've updated the test fixture accordingly. (My first thought was that perhaps the difference is whether our testcase's `certifi` matches the Pipenv vendored version exactly or not, however, varying to another older version also didn't reproduce?). I've also added `packaging` as another testcase dependency, in the hope that in the future at least one of these packages will be able to reproduce the issue, should we try and remove the workaround again. Longer term, these continual Pipenv bugs are making me inclined to deprecate/strongly discourage Pipenv usage, given there are now much more reliable/better maintained/faster alternatives (such as uv) that don't suffer from these chronic bugs. GUS-W-20819376.
edmorley
added a commit
that referenced
this pull request
Jan 8, 2026
In #2000, Pipenv was updated to v2026.0.3, which contained a number of fixes for the historically very buggy `--system` mode. Since that Pipenv release was meant to fix many of the `--system` bugs, one of the workarounds for those bugs was removed, since even without the workaround the regression test for that bug still passed (implying the upstream fixes had worked as expected). However, it appears that the bug still exists in some form that was not being picked up by the original testcase, as reported in: #2000 (comment) As such, I've had to re-add the workaround. This also affects the logs, since in the new Pipenv version, if `PIPENV_VERBOSITY="-1"` is set (which is required to stop an annoying multi-line warning about a venv being present), then the `Installing dependencies from ...` line is no longer printed. It seems the bug now only reproduces with different versions of the `certifi` package, so I've updated the test fixture accordingly. (My first thought was that perhaps the difference is whether our testcase's `certifi` matches the Pipenv vendored version exactly or not, however, varying to another older version also didn't reproduce?). I've also added `packaging` as another testcase dependency, in the hope that in the future at least one of these packages will be able to reproduce the issue, should we try and remove the workaround again. Longer term, these continual Pipenv bugs are making me inclined to deprecate/strongly discourage Pipenv usage, given there are now much more reliable/better maintained/faster alternatives (such as uv) that don't suffer from these chronic bugs. GUS-W-20819376.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps pipenv from 2025.0.4 to 2026.0.3.
Release notes
Sourced from pipenv's releases.
... (truncated)
Changelog
Sourced from pipenv's changelog.
... (truncated)
Commits
997b40cRelease v2026.0.3fc22870Bumped version to 2026.0.3.6ae09f2Fix zsh parse error in pipenv shell command (#6504)ae2fd54Exclude docs directory from package distribution (#6501)ac013e3Fix pipenv shell --quiet to actually suppress output (#6500)d18e062Release v2026.0.295e21a6Bumped version to 2026.0.2.9411b68Add PIPENV_PROJECT_DIR environment variable (#6497)b37b584Add --no-lock flag to 'pipenv requirements' command (#6496)4aa8431Docs: Update installation guide for PEP 668 compatibility (#6495)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)