Skip to content

Broken version comparison in system Python version compatibility check #6514

New issue
New issue
Open
Open
Broken version comparison in system Python version compatibility check#6514
@edmorley

Description

@edmorley
edmorley
opened on Feb 3, 2026

Issue description

In #6453 a check was added to ensure the system Python version is compatible with the python_version declared in Pipfile.lock

However, that check has a string comparison bug that means it incorrectly calls some versions compatible when they are not.

This is due to the use of not in which performs a substring comparison, so incorrectly deems the versions compatible in cases such as the system Python version being v3.13.11 and python_version in the Pipfile.lock being 3.11 (which is a partial substring of 3.13.11, since it matches the last few characters).

See:

pipenv/pipenv/utils/project.py

Lines 76 to 78 in 483baf4

if path_to_python and project.required_python_version not in (
python_version(path_to_python) or ""
):

Expected result

For the version comparison to correctly incompatible versions.

Actual result

No version warning/error shown.

Steps to replicate

Create this Dockerfile:

FROM python:3.13.11-slim
WORKDIR /testcase

COPY <<EOF Pipfile
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
typing-extensions = "*"

[requires]
python_version = "3.11"
EOF

COPY <<EOF Pipfile.lock
{
    "_meta": {
        "hash": {
            "sha256": "5a5846099fd5ceb0291e704a94f49cf0b8a226109fdae915a61253b56eaf3ed6"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.11"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "typing-extensions": {
            "hashes": [
                "sha256:a439e7c04b49fec3e5d3e2beaa21755cadbbdc391694e28ccdd36ca4a1408f8c",
                "sha256:e6c81219bd689f51865d9e372991c540bda33a0379d5573cddb9a3a23f7caaef"
            ],
            "index": "pypi",
            "markers": "python_version >= '3.8'",
            "version": "==4.13.2"
        }
    },
    "develop": {}
}
EOF

RUN pip install pipenv==v2026.0.3 --disable-pip-version-check --quiet --root-user-action ignore
# This should abort with an error about incompatible system Python version, but doesn't.
RUN pipenv install --deploy --system

Then run it with:
docker build . --progress plain --no-cache

It will succeed, when the pipenv sync command should have errored (since the base image uses Python 3.13.11, but yet python_version in Pipfile and Pipfile.lock specifies Python 3.11).

Note that if you change the FROM line to use python:3.13.10-slim (which is no longer an accidental substring match) then the version check will correctly warn/error again.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions