pipenv install --skip-lock downloads a different version of packages than specified in Pipfile

[NaimShaqqou]

Issue description

In pipenv version 2024.2.0, the pipenv install command with the --skip-lock flag downloads a different version of a package than what is specified in the Pipfile. When I don't use the --skip-lock flag, the correct version of the package gets installed. This behavior is different than past versions of pipenv (e.g. 2024.1.0).

Expected result

This output is from pipenv version 2024.1.0. The expected result is that gunicorn==20.0.2 would be downloaded as specified in the Pipfile.

Note how it says Preparing Installation of 'gunicorn==20.0.2' in the output.

$ python3.12 -m pipenv install --skip-lock --python 3.12 --verbose

The flag --skip-lock has been reintroduced (but is not recommended).  Without the lock resolver it is difficult to manage multiple package 
indexes, and hash checking is not provided.  However it can help manage installs with current deficiencies in locking across platforms.
Using python: 3.12
Path to python: /usr/bin/python3.12
Creating a virtualenv for this project
Pipfile: /var/app/current/Pipfile
Using /usr/bin/python3.123.12.7 to create virtualenv...
⠇ Creating virtual environment...created virtual environment CPython3.12.7.final.0-64 in 434ms
  creator CPython3Posix(dest=/home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, via=copy, app_data_dir=/home/ec2-user/.local/share/virtualenv)
    added seed packages: pip==24.2
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator

✔ Successfully created virtual environment!
Virtualenv location: /home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe
Warning: Your Pipfile requires python_version 3.7, but you are using 3.12.7 (/home/e/.local/share/v/c/bin/python).
  $ pipenv --rm and rebuilding the virtual environment may resolve the issue.
  $ pipenv check will surely fail.
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
Installing dependencies from Pipfile...
Writing supplied requirement line to temporary file: 'gunicorn==20.0.2'
Install Phase: Editable Requirements
Preparing Installation of 'gunicorn==20.0.2'
$ /home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe/bin/python /opt/elasticbeanstalk/site-packages/pipenv/patched/pip/__pip-runner__.py 
install -i https://pypi.org/simple --no-input --upgrade -r /tmp/pipenv-_jqk04c6-requirements/pipenv-kxvco_vi-reqs.txt
Using source directory: '/home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe/src'
Collecting gunicorn==20.0.2 (from -r /tmp/pipenv-_jqk04c6-requirements/pipenv-kxvco_vi-reqs.txt (line 1))

  Downloading gunicorn-20.0.2-py2.py3-none-any.whl.metadata (3.5 kB)

Collecting setuptools>=3.0 (from gunicorn==20.0.2->-r /tmp/pipenv-_jqk04c6-requirements/pipenv-kxvco_vi-reqs.txt (line 1))

  Downloading setuptools-75.3.0-py3-none-any.whl.metadata (6.9 kB)

Downloading gunicorn-20.0.2-py2.py3-none-any.whl (115 kB)

   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 115.6/115.6 kB 4.5 MB/s eta 0:00:00

Downloading setuptools-75.3.0-py3-none-any.whl (1.3 MB)

   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.3/1.3 MB 30.7 MB/s eta 0:00:00

Installing collected packages: setuptools, gunicorn

Successfully installed gunicorn-20.0.2 setuptools-75.3.0

Actual result

This output is from pipenv 2024.2.0. The latest gunicorn version gets downloaded even though I requested gunicorn==20.0.2 in the Pipfile.

Note how it says: Preparing Installation of 'gunicorn' without specifying the version. The expected output has the version here so I think there is an issue with parsing the version from the pipfile.

$ python3.12 -m pipenv install --skip-lock --verbose --python 3.12

The flag --skip-lock has been reintroduced (but is not recommended).  Without the lock resolver it is difficult to manage multiple package 
indexes, and hash checking is not provided.  However it can help manage installs with current deficiencies in locking across platforms.
Using python: 3.12
Path to python: /usr/bin/python3.12
Creating a virtualenv for this project
Pipfile: /var/app/current/Pipfile
Using /usr/bin/python3.123.12.7 to create virtualenv...
⠙ Creating virtual environment...created virtual environment CPython3.12.7.final.0-64 in 87ms
  creator CPython3Posix(dest=/home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, via=copy, app_data_dir=/home/ec2-user/.local/share/virtualenv)
    added seed packages: pip==24.2
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator

✔ Successfully created virtual environment!
Virtualenv location: /home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
Installing dependencies from Pipfile...
Writing supplied requirement line to temporary file: 'gunicorn'
Install Phase: Editable Requirements
Preparing Installation of 'gunicorn'
$ /home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe/bin/python /opt/elasticbeanstalk/site-packages/pipenv/patched/pip/__pip-runner__.py 
install -i https://pypi.org/simple --no-input --upgrade -r /tmp/pipenv-cjv9xome-requirements/pipenv-jns991_3-reqs.txt
Using source directory: '/home/ec2-user/.local/share/virtualenvs/current-nIaIHBPe/src'
Collecting gunicorn (from -r /tmp/pipenv-cjv9xome-requirements/pipenv-jns991_3-reqs.txt (line 1))

  Using cached gunicorn-23.0.0-py3-none-any.whl.metadata (4.4 kB)

Collecting packaging (from gunicorn->-r /tmp/pipenv-cjv9xome-requirements/pipenv-jns991_3-reqs.txt (line 1))

  Using cached packaging-24.1-py3-none-any.whl.metadata (3.2 kB)

Using cached gunicorn-23.0.0-py3-none-any.whl (85 kB)

Using cached packaging-24.1-py3-none-any.whl (53 kB)

Installing collected packages: packaging, gunicorn

Successfully installed gunicorn-23.0.0 packaging-24.1

Steps to replicate

Pipfile:

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
gunicorn = "==20.0.2"

Command:

python3.12 -m pipenv install --skip-lock --verbose --python 3.12

---

$ pipenv --support

Pipenv version: '2024.2.0'

Pipenv location: '/opt/elasticbeanstalk/site-packages/pipenv'

Python location: '/usr/bin/python3.12'

OS Name: 'posix'

User pip version: '24.2'

user Python installations found:

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.12.7',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '6.1.112-122.189.amzn2023.x86_64',
 'platform_system': 'Linux',
 'platform_version': '#1 SMP PREEMPT_DYNAMIC Tue Oct  8 17:02:11 UTC 2024',
 'python_full_version': '3.12.7',
 'python_version': '3.12',
 'sys_platform': 'linux'}

System environment variables:

• SHELL
• HISTCONTROL
• SYSTEMD_COLORS
• HISTSIZE
• HOSTNAME
• PWD
• LOGNAME
• XDG_SESSION_TYPE
• MOTD_SHOWN
• HOME
• LANG
• LS_COLORS
• SSH_CONNECTION
• XDG_SESSION_CLASS
• SELINUX_ROLE_REQUESTED
• TERM
• LESSOPEN
• USER
• SELINUX_USE_CURRENT_RANGE
• SHLVL
• XDG_SESSION_ID
• XDG_RUNTIME_DIR
• S_COLORS
• SSH_CLIENT
• which_declare
• PATH
• SELINUX_LEVEL_REQUESTED
• DBUS_SESSION_BUS_ADDRESS
• MAIL
• SSH_TTY
• OLDPWD
• BASH_FUNC_which%%
• _
• PIP_DISABLE_PIP_VERSION_CHECK
• PYTHONDONTWRITEBYTECODE
• PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

• PATH: /home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
• SHELL: /bin/bash
• LANG: en_US.UTF-8
• PWD: /var/app/current

---

Contents of Pipfile ('/var/app/current/Pipfile'):

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
gunicorn = "==20.0.2"

[NaimShaqqou]

Note that when I specify the package version as follows, pipenv install --skip-lock installs the correct version. I think that the "==20.0.2" string isn't being parsed correctly when using --skip-lock flag.

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
gunicorn = {version = "20.0.2"}

[matteius]

Please try the upcoming release branch: #6282

[NaimShaqqou]

Still seeing the same issue using branch #6282

[matteius]

Thanks for your quick response @NaimShaqqou -- I think what you said about the version specifier == vs not should help track this down. Can't guarantee it will make the upcoming release, but will consider it high priority.

[matteius]

@NaimShaqqou Actually I took a quick look and found the problem, I believe this fixes things: #6289

[NaimShaqqou]

Thank you very much! Confirmed that #6289 fixed it