| There is an issue from 2019 on the pipenv tracker for this issue: https://github.com/pypa/pipenv/issues/3893 According to the last comment there it should be fixed: > I don't think this should be an issue in the current 2022.4.8 release because of the requirement to use index restricted packages for locking. Please advise if you think this is still a concern and we can revisit it. But apparently it is still an issue (assuming the author did use a recent enough pipenv version) From the article: > Overall this is pipenv working exactly as it should. I don't agree, IMO pipenv should just install from the source package and ignore the newer wheel, maybe showing a warning about the new wheel. Edit: Just noticed that the author agrees in the end: > I suppose the behavior I’d like to see here is that if my Pipfile.lock has hashes in it for a distribution, then even if additional distributions are available, pipenv sync should be allowed to continue to install from the distribution corresponding to the “trusted” hash. I prefer to use https://python-poetry.org/ instead of pipenv, since it has less issues in my experience. But I wonder how it would behave in this situation. |