Skip to content

Reject Pipfile entries with unrecognized keys#6611

Draft
matteius wants to merge 1 commit intomainfrom
fix/reject-unrecognized-pipfile-keys
Draft

Reject Pipfile entries with unrecognized keys#6611
matteius wants to merge 1 commit intomainfrom
fix/reject-unrecognized-pipfile-keys

Conversation

@matteius
Copy link
Copy Markdown
Member

@matteius matteius commented Mar 28, 2026

Summary

Fixes #5642

Previously, pipenv silently ignored unrecognized keys in Pipfile package entries. For example, writing commit = "hash" instead of ref = "hash" for a VCS dependency would be silently ignored, causing the dependency to point at HEAD instead of the intended commit.

Changes

This adds validation at two levels:

  1. plette layer (PackageSpecfiers.validate in pipenv/vendor/plette/models/packages.py): Defines KNOWN_PACKAGE_KEYS — a frozenset of all recognized keys for a Pipfile package entry — and validates against it when the Pipfile is loaded via plette.Pipfile.load().

  2. dependencies layer (_validate_pipfile_entry in pipenv/utils/dependencies.py): Validates package entries when install_req_from_pipfile() processes them during install/lock operations, raising PipenvUsageError with a clear message.

Example

Given this Pipfile:

[packages]
requests = { git = "ssh://git@github.com/psf/requests", commit = "foo" }

Pipenv will now produce:

Unrecognized option(s) in Pipfile for package 'requests': commit.
Valid options include: version, extras, editable, markers, ref, git, svn, hg, bzr,
path, file, index, subdirectory, hashes, no_binary, and PEP 508 marker keys.

Testing

All 375 existing unit tests continue to pass.

Pull Request opened by Augment Code with guidance from the PR author

@matteius
Reject Pipfile entries with unrecognized keys
62f23f3 
Fixes #5642

Previously, pipenv silently ignored unrecognized keys in Pipfile package
entries. For example, writing `commit = "hash"` instead of
`ref = "hash"` for a VCS dependency would be silently ignored,
causing the dependency to point at HEAD instead of the intended commit.

This adds validation at two levels:

1. plette layer (PackageSpecfiers.validate): Checks for unknown keys
   when the Pipfile is loaded/validated via plette.Pipfile.load().

2. dependencies layer (_validate_pipfile_entry): Checks for unknown keys
   when install_req_from_pipfile() processes individual package entries
   during install/lock operations.

Both raise clear error messages listing the unrecognized key(s) and
the valid options available.
@oz123
Copy link
Copy Markdown
Contributor

oz123 commented Apr 29, 2026

I think this fix be implemented in plette directly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Reject Pipfile that specifies unrecognised directives

2 participants

@matteius @oz123