Skip to content

build(deps): bump pipenv from 2026.5.2 to 2026.6.1#2889

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pipenv-2026.6.0
Open

build(deps): bump pipenv from 2026.5.2 to 2026.6.1#2889
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pipenv-2026.6.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026
edited
Loading

Bumps pipenv from 2026.5.2 to 2026.6.1.

Release notes

Sourced from pipenv's releases.

Release v2026.6.1

🤖 AI-Generated Changelog

Fixed

  • Prevent mutation of cached parsed Pipfile data during dependency locking, resolving potential issues with corrupted lock state across operations

Changed

  • Updated development dependencies (pip group)

🔗 Full Changelog: pypa/pipenv@v2026.6.0...v2026.6.1

Release v2026.6.0

🤖 AI-Generated Changelog

Security

  • Strip credentials from pip argument vectors to prevent credential exposure in logs and process listings (GHSA-8xgg-v3jj-95m2)
  • Validate tar link targets in data_filter fallback to prevent path traversal during package installation (GHSA-p4qx-p8p6-4gjf)

Added

  • Add documentation for git+ssh package sources in Pipfile

Fixed

  • Fix PIPENV_PROJECT_DIR not being expanded correctly in Pipfile script definitions
  • Fix pipenv shell breaking terminal input echo after exit
  • Fix three regressions introduced in a prior release affecting resolver and marker environment handling
  • Restore target_marker_version helper alias for backwards compatibility
  • Fix _target_marker_environment returning incorrect value when allow_global=True

Changed

  • Vendor in Pip 26.1
  • Cache Pipfile parsing and parallelize hash and candidate lookups for improved performance

Dependencies

  • Bump pygments from 2.19.2 to 2.20.0
  • Bump pytest (development dependency)

🔗 Full Changelog: pypa/pipenv@v2026.5.2...v2026.6.0

Changelog

Sourced from pipenv's changelog.

2026.6.1 (2026-04-28)

pipenv 2026.6.1 (2026-04-28)

Bug Fixes

  • Fix pipenv install corrupting existing inline-table or outline-table Pipfile entries (six = {version = "*"}, [packages.requests]). The locker was popping version/ref keys directly off the cached parsed_pipfile document, so subsequent writes emitted six = {} and dropped the version specifier from sibling packages. [#6657](https://github.com/pypa/pipenv/issues/6657) <https://github.com/pypa/pipenv/issues/6657>_

2026.6.0 (2026-04-27)

pipenv 2026.6.0 (2026-04-27)

Bug Fixes

  • Fix pipenv shell breaking terminal input echo on Linux. The previous implementation toggled setecho(True/False) on the spawned child around its internal setup commands, which fought with the shell's own readline termios management — producing permanently-disabled echo (GH-6572) or double-echoed keystrokes (123411223344). fork_compat no longer touches pty termios; instead it drains the synchronisation sentinel from the pexpect buffer twice (once for the echoed command, once for its output) so nothing leaks into interact(). [#6633](https://github.com/pypa/pipenv/issues/6633) <https://github.com/pypa/pipenv/issues/6633>_
  • pipenv run <command> -h <arg> now passes -h through to the command instead of showing pipenv's help. All arguments following run_command are captured verbatim via argparse REMAINDER, so flags like -h that pipenv itself also defines no longer collide with the wrapped command. [#6641](https://github.com/pypa/pipenv/issues/6641) <https://github.com/pypa/pipenv/issues/6641>_
  • Fix ValueError: invalid literal for int() with base 10 when the Pipfile's [requires] section uses a PEP 440 specifier (e.g. python_version = ">=3.9"). Specifier values no longer produce a Python-version override; the running interpreter's actual version is used for marker evaluation instead. [#6645](https://github.com/pypa/pipenv/issues/6645) <https://github.com/pypa/pipenv/issues/6645>_
  • Install-time marker filtering now evaluates environment markers against the target virtualenv's Python version rather than against the Python version that pipenv itself is running under. This prevents spurious Ignoring …: markers … don't match your environment warnings (and the corresponding missing installs) when pipenv sync --python X.Y is driven by a different system Python. [#6647](https://github.com/pypa/pipenv/issues/6647) <https://github.com/pypa/pipenv/issues/6647>_
  • pipenv run now expands $PIPENV_PROJECT_DIR and other Pipenv-managed environment variables inside Pipfile script arguments before direct command execution, so project-relative script paths resolve correctly. [#6652](https://github.com/pypa/pipenv/issues/6652) <https://github.com/pypa/pipenv/issues/6652>_

... (truncated)

Commits
  • da2c9d9 Release v2026.6.1
  • e945cfe Bumped version to 2026.6.1.
  • 1e9ca66 chore(deps-dev): bump the pip group across 1 directory with 2 updates (#6658)
  • 87dffe0 fix: don't mutate cached parsed_pipfile when locking deps (#6657)
  • 75a07fc Release v2026.6.0
  • 2430757 Bumped version to 2026.6.0.
  • 6c0e631 Vendor in Pip 26.1 (#6656)
  • 4cf7d9f Fix Pipfile script expansion for PIPENV_PROJECT_DIR (#6655)
  • 838d0b3 perf: cache Pipfile parse, parallelize hash/candidate lookups, harden benchma...
  • 551d3ae docs: added git+ssh package source documentation for Pipfile (#6651)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 28, 2026
@sydseter
Copy link
Copy Markdown
Collaborator

sydseter commented Apr 28, 2026

@dependabot rebase

@dependabot
build(deps): bump pipenv from 2026.5.2 to 2026.6.1
ea247fe 
Bumps [pipenv](https://github.com/pypa/pipenv) from 2026.5.2 to 2026.6.1.
- [Release notes](https://github.com/pypa/pipenv/releases)
- [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.md)
- [Commits](pypa/pipenv@v2026.5.2...v2026.6.1)

---
updated-dependencies:
- dependency-name: pipenv
  dependency-version: 2026.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump pipenv from 2026.5.2 to 2026.6.0 build(deps): bump pipenv from 2026.5.2 to 2026.6.1 Apr 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pipenv-2026.6.0 branch from a497a75 to ea247fe Compare April 28, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sydseter