fix: don't mutate cached parsed_pipfile when locking deps

get_locked_dep popped ``version`` and ``ref`` directly off the entry it
received from ``pipfile_section``.  Since #6649 made ``parsed_pipfile``
return a cached TOMLDocument by reference, those pops persisted across
the rest of the pipenv invocation — a subsequent ``write_toml`` (e.g.
``add_pipfile_entry_to_pipfile`` for the newly installed package) would
emit ``six = {}`` instead of ``six = {version = "*"}`` and strip the
version from any inline-table or outline-table siblings.

Copy the dict before scrubbing those keys.  Add a unit regression test
that asserts get_locked_dep leaves the section untouched.

Fixes the integration regression hit by ``test_rewrite_outline_table``
and ``test_rewrite_outline_table_ooo`` on main since the pip 26.1
vendoring run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matteius

news/6657.bugfix.rst

@@ -0,0 +1,5 @@
+Fix ``pipenv install`` corrupting existing inline-table or outline-table
+Pipfile entries (``six = {version = "*"}``, ``[packages.requests]``).  The
+locker was popping ``version``/``ref`` keys directly off the cached
+``parsed_pipfile`` document, so subsequent writes emitted
+``six = {}`` and dropped the version specifier from sibling packages.

pipenv/utils/locking.py

@@ -171,10 +171,14 @@ def get_locked_dep(project, dep, pipfile_section, current_entry=None):
             if pep423_name(pipfile_key) == dep_name or pipfile_key == dep_name:
                 is_top_level = True
                 if isinstance(pipfile_entry, dict):
-                    if pipfile_entry.get("version"):
-                        pipfile_entry.pop("version")
-                    if pipfile_entry.get("ref"):
-                        pipfile_entry.pop("ref")
+                    # Copy before mutating: pipfile_section is the cached
+                    # parsed_pipfile, so popping in place strips the original
+                    # Pipfile entry and corrupts the next write_toml.
+                    pipfile_entry = {
+                        k: v
+                        for k, v in pipfile_entry.items()
+                        if k not in ("version", "ref")
+                    }
                     dep.update(pipfile_entry)
                 break
 

tests/unit/test_locking_no_mutation.py

@@ -0,0 +1,44 @@
+"""Regression test for Pipfile cache corruption during lock.
+
+Before this fix, ``get_locked_dep`` popped ``version`` and ``ref`` keys
+in-place from the entry it received.  That entry is sourced from the
+cached ``parsed_pipfile`` document, so the mutation persisted across the
+rest of the pipenv invocation — the next ``write_toml`` call would emit
+``six = {}`` instead of ``six = {version = "*"}``.
+
+This test patches ``clean_resolved_dep`` (the only project-dependent
+collaborator of ``get_locked_dep``) to a no-op and asserts that the
+input ``pipfile_section`` is left untouched.
+"""
+from unittest import mock
+
+from pipenv.utils import locking
+
+
+def _identity_clean_resolved_dep(project, dep, is_top_level=False, current_entry=None):
+    return {dep["name"]: dict(dep)}
+
+
+def test_get_locked_dep_does_not_mutate_pipfile_section():
+    pipfile_section = {
+        "six": {"version": "*"},
+        "requests": {"version": "*", "extras": ["socks"]},
+        "mypkg": {"git": "https://example.com/mypkg.git", "ref": "main"},
+    }
+    snapshot = {k: dict(v) for k, v in pipfile_section.items()}
+
+    with mock.patch.object(
+        locking, "clean_resolved_dep", side_effect=_identity_clean_resolved_dep
+    ):
+        for dep in (
+            {"name": "six", "version": "==1.16.0"},
+            {"name": "requests", "version": "==2.32.3"},
+            {"name": "mypkg"},
+        ):
+            locking.get_locked_dep(
+                project=None, dep=dep, pipfile_section=pipfile_section
+            )
+
+    assert pipfile_section["six"] == snapshot["six"]
+    assert pipfile_section["requests"] == snapshot["requests"]
+    assert pipfile_section["mypkg"] == snapshot["mypkg"]