Update Pipenv to 2025.0.4 and improve installation/caching (#1840)

* Updates Pipenv from 2024.0.1 to 2025.0.4. Changelog:
  https://github.com/pypa/pipenv/blob/main/CHANGELOG.md#202504-2025-07-07
* Switches to installing Pipenv into its own virtual environment, so
  that it and its dependencies don't leak into the app environment.
* Stops installing pip (in addition to Pipenv) when the chosen package
  manager is Pipenv, to match the behaviour when using Poetry or uv.
* Forces the build cache to be cleared if the contents of `Pipfile.lock`
  has changed since the last build. This is required to work around
  `pipenv {install,sync}` by design not uninstalling packages if they
  are removed from the lockfile (?!). We also can't use `pipenv clean`
  since it doesn't work with `--system` / `PIPENV_SYSTEM`.

Apps that have been inadvertently depending on Pipenv's own dependencies
implicitly, will need to add those dependencies explicitly to their
`Pipfile` and regenerate `Pipfile.lock`. Similarly, any apps that for
some reason use pip later in the build in addition to Pipenv, will need
to either add pip as an explicit dependency in their `Pipfile`, or else
for adhoc use-cases (such as in one-off dynos), can temporarily install
pip using `python -m ensurepip --default-pip`.

Supersedes #1828.
GUS-W-17482289.
GUS-W-17482412.
GUS-W-19116903.

Author: edmorley

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+- Updated Pipenv from 2024.0.1 to 2025.0.4. ([#1840](https://github.com/heroku/heroku-buildpack-python/pull/1840))
+- Fixed the way Pipenv is installed, so that it and its dependencies are installed into a separate virtual environment rather than same environment as the app. If your app inadvertently depended on Pipenv's internal dependencies, you will need to add those dependencies explicitly to your `Pipfile`. ([#1840](https://github.com/heroku/heroku-buildpack-python/pull/1840))
+- Stopped installing pip when Pipenv is the chosen package manager. ([#1840](https://github.com/heroku/heroku-buildpack-python/pull/1840))
+- The build cache is now cleared when using Pipenv if the contents of `Pipfile.lock` has changed since the last build. This is required to work around Pipenv not uninstalling packages when they are removed from the lockfile. ([#1840](https://github.com/heroku/heroku-buildpack-python/pull/1840))
 - The build now errors when using Pipenv without its lockfile (`Pipfile.lock`). This replaces the warning displayed since November 2024. ([#1833](https://github.com/heroku/heroku-buildpack-python/pull/1833))
 
 ## [v291] - 2025-07-10

bin/compile

@@ -172,9 +172,7 @@ case "${package_manager}" in
 		pip::install_pip_setuptools_wheel "${python_home}" "${python_major_version}"
 		;;
 	pipenv)
-		# TODO: Stop installing pip when using Pipenv.
-		pip::install_pip_setuptools_wheel "${python_home}" "${python_major_version}"
-		pipenv::install_pipenv
+		pipenv::install_pipenv "${python_home}" "${python_major_version}" "${EXPORT_PATH}" "${PROFILE_PATH}"
 		;;
 	poetry)
 		poetry::install_poetry "${python_home}" "${python_major_version}" "${CACHE_DIR}" "${EXPORT_PATH}"

lib/cache.sh

@@ -87,6 +87,7 @@ function cache::restore() {
 				# later removed, pip will not uninstall the package. This check can be removed if we
 				# ever switch to only caching pip's HTTP/wheel cache rather than site-packages.
 				# TODO: Remove the `-f` check once the setup.py fallback feature is removed.
+				# TODO: Switch this to using sha256sum like the Pipenv implementation.
 				if [[ -f "${build_dir}/requirements.txt" ]] && ! cmp --silent "${cache_dir}/.heroku/requirements.txt" "${build_dir}/requirements.txt"; then
 					cache_invalidation_reasons+=("The contents of requirements.txt changed")
 				fi
@@ -102,9 +103,14 @@ function cache::restore() {
 				elif [[ "${cached_pipenv_version}" != "${PIPENV_VERSION:?}" ]]; then
 					cache_invalidation_reasons+=("The Pipenv version has changed from ${cached_pipenv_version} to ${PIPENV_VERSION}")
 				fi
-				# TODO: Remove this next time the Pipenv version is bumped (since it will trigger cache invalidation of its own)
-				if [[ -d "${cache_dir}/.heroku/src" ]]; then
-					cache_invalidation_reasons+=("The editable VCS repository location has changed (and Pipenv doesn't handle this correctly)")
+				# `pipenv {install,sync}` by design don't actually uninstall packages on their own (!!):
+				# and we can't use `pipenv clean` since it isn't compatible with `--system`.
+				# https://github.com/pypa/pipenv/issues/3365
+				# We have to explicitly check for the presence of the Pipfile.lock.sha256 file,
+				# since we only started writing it to the build cache as of buildpack v292+.
+				local pipfile_lock_checksum_file="${cache_dir}/.heroku/python/Pipfile.lock.sha256"
+				if [[ -f "${pipfile_lock_checksum_file}" ]] && ! sha256sum --check --strict --status "${pipfile_lock_checksum_file}"; then
+					cache_invalidation_reasons+=("The contents of Pipfile.lock changed")
 				fi
 				;;
 			poetry)
@@ -194,7 +200,12 @@ function cache::save() {
 	# TODO: Simplify this once multiple package manager files being found is turned into an
 	# error and the setup.py fallback feature is removed.
 	if [[ "${package_manager}" == "pip" && -f "${build_dir}/requirements.txt" ]]; then
+		# TODO: Switch this to using sha256sum like the Pipenv implementation.
 		cp "${build_dir}/requirements.txt" "${cache_dir}/.heroku/"
+	elif [[ "${package_manager}" == "pipenv" ]]; then
+		# This must use a relative path for the lockfile, since the output file will contain
+		# the path specified, and the build directory path changes every build.
+		sha256sum Pipfile.lock >"${cache_dir}/.heroku/python/Pipfile.lock.sha256"
 	fi
 
 	meta_time "cache_save_duration" "${cache_save_start_time}"

lib/pipenv.sh

@@ -6,44 +6,105 @@ set -euo pipefail
 
 PIPENV_VERSION=$(utils::get_requirement_version 'pipenv')
 
-# TODO: Either enable or remove these.
-# export CLINT_FORCE_COLOR=1
-# export PIPENV_FORCE_COLOR=1
-
 function pipenv::install_pipenv() {
-	meta_set "pipenv_version" "${PIPENV_VERSION}"
-
-	output::step "Installing Pipenv ${PIPENV_VERSION}"
-
-	# TODO: Install Pipenv into a venv so it isn't leaked into the app environment.
-	# TODO: Skip installing Pipenv if its version hasn't changed (once it's installed into a venv).
-	# TODO: Explore viability of making Pipenv only be available during the build, to reduce slug size.
+	local python_home="${1}"
+	local python_major_version="${2}"
+	local export_file="${3}"
+	local profile_d_file="${4}"
+
+	# Ideally we would only make Pipenv available during the build to reduce slug size, however,
+	# the buildpack has historically not done that and so some apps are relying on it at run-time
+	# (for example via `pipenv run` commands in their Procfile). As such, we have to store it in
+	# the build directory, but must do so via the symlinked `/app/.heroku/python` path so the
+	# venv doesn't break when the build directory is relocated to /app at run-time.
+	local pipenv_root="${python_home}/pipenv"
+
+	# We nest the venv and then symlink the `pipenv` script to prevent the rest of `venv/bin/`
+	# (such as entrypoint scripts from Pipenv's dependencies, or the venv's activation scripts)
+	# from being added to PATH and exposed to the app.
+	local pipenv_bin_dir="${pipenv_root}/bin"
+	local pipenv_venv_dir="${pipenv_root}/venv"
 
-	# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.
-	if ! {
-		pip \
-			install \
-			--disable-pip-version-check \
-			--no-cache-dir \
-			--no-input \
-			--quiet \
-			"pipenv==${PIPENV_VERSION}" \
-			|& output::indent
-	}; then
-		output::error <<-EOF
-			Error: Unable to install Pipenv.
-
-			In some cases, this happens due to a temporary issue with
-			the network connection or Python Package Index (PyPI).
-
-			Try building again to see if the error resolves itself.
+	meta_set "pipenv_version" "${PIPENV_VERSION}"
 
-			If that doesn't help, check the status of PyPI here:
-			https://status.python.org
-		EOF
-		meta_set "failure_reason" "install-package-manager::pipenv"
-		exit 1
+	# The earlier buildpack cache invalidation step will have already handled the case where the
+	# Pipenv version has changed, so here we only need to check that a Pipenv install exists.
+	# Note: We don't need to use the `-e` trick of `install_poetry()` since we're installing into
+	# a constant path, rather than the cache directory (which can change location).
+	if [[ -f "${pipenv_bin_dir}/pipenv" ]]; then
+		output::step "Using cached Pipenv ${PIPENV_VERSION}"
+	else
+		output::step "Installing Pipenv ${PIPENV_VERSION}"
+
+		mkdir -p "${pipenv_root}"
+
+		# We use the pip wheel bundled within Python's standard library to install Pipenv,
+		# since Pipenv vendors its own pip, so doesn't need an install in the venv.
+		# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.
+		if ! python -m venv --without-pip "${pipenv_venv_dir}" |& output::indent; then
+			output::error <<-EOF
+				Internal Error: Unable to create virtual environment for Pipenv.
+
+				The 'python -m venv' command to create a virtual environment did
+				not exit successfully.
+
+				See the log output above for more information.
+			EOF
+			meta_set "failure_reason" "create-venv::pipenv"
+			exit 1
+		fi
+
+		local bundled_pip_module_path
+		bundled_pip_module_path="$(utils::bundled_pip_module_path "${python_home}" "${python_major_version}")"
+
+		# We must call the venv Python directly here, rather than relying on pip's `--python`
+		# option, since `--python` was only added in pip v22.3, so isn't supported by the older
+		# pip versions bundled with Python 3.9/3.10.
+		# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.
+		if ! {
+			"${pipenv_venv_dir}/bin/python" "${bundled_pip_module_path}" \
+				install \
+				--disable-pip-version-check \
+				--no-cache-dir \
+				--no-input \
+				--quiet \
+				"pipenv==${PIPENV_VERSION}" \
+				|& output::indent
+		}; then
+			output::error <<-EOF
+				Error: Unable to install Pipenv.
+
+				In some cases, this happens due to a temporary issue with
+				the network connection or Python Package Index (PyPI).
+
+				Try building again to see if the error resolves itself.
+
+				If that doesn't help, check the status of PyPI here:
+				https://status.python.org
+			EOF
+			meta_set "failure_reason" "install-package-manager::pipenv"
+			exit 1
+		fi
+
+		mkdir -p "${pipenv_bin_dir}"
+		ln --symbolic --no-target-directory "${pipenv_venv_dir}/bin/pipenv" "${pipenv_bin_dir}/pipenv"
 	fi
+
+	export PATH="${pipenv_bin_dir}:${PATH}"
+	# Force Pipenv to manage the system Python site-packages instead of using venvs.
+	export PIPENV_SYSTEM="1"
+
+	# Set the same env vars in the environment used by later buildpacks.
+	cat >>"${export_file}" <<-EOF
+		export PATH="${pipenv_bin_dir}:\${PATH}"
+		export PIPENV_SYSTEM="1"
+	EOF
+
+	# And the environment used at app run-time.
+	cat >>"${profile_d_file}" <<-EOF
+		export PATH="${pipenv_bin_dir}:\${PATH}"
+		export PIPENV_SYSTEM="1"
+	EOF
 }
 
 # Previous versions of the buildpack used to cache the checksum of the lockfile to allow
@@ -62,7 +123,8 @@ function pipenv::install_dependencies() {
 		export PIP_EXTRA_INDEX_URL
 	fi
 
-	# Note: We can't use `pipenv sync` since it doesn't validate that the lockfile is up to date.
+	# Note: We can't use `pipenv sync` since it doesn't support `--deploy` and so won't abort
+	# if the lockfile is out of date.
 	local pipenv_install_command=(
 		pipenv
 		install
@@ -77,11 +139,14 @@ function pipenv::install_dependencies() {
 	# We only display the most relevant command args here, to improve the signal to noise ratio.
 	output::step "Installing dependencies using '${pipenv_install_command[*]}'"
 
+	# TODO: Expose app config vars to the install command as part of doing so for all package managers.
+	# `PIPENV_NOSPIN`: Disable progress spinners.
+	# `PIP_SRC`: Override the editable VCS repo location from its default of inside the build directory
+	#            (Pipenv uses pip internally, and doesn't offer its own config option for this).
 	# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.
 	if ! {
-		"${pipenv_install_command[@]}" \
-			--extra-pip-args='--src=/app/.heroku/python/src' \
-			--system \
+		PIPENV_NOSPIN="1" PIP_SRC="/app/.heroku/python/src" \
+			"${pipenv_install_command[@]}" \
 			|& tee "${WARNINGS_LOG:?}" \
 			|& output::indent
 	}; then

requirements/pipenv.txt

@@ -1 +1 @@
-pipenv==2024.0.1
+pipenv==2025.0.4

spec/fixtures/pipenv_basic/bin/compile

@@ -17,7 +17,8 @@ echo
 
 pipenv --version
 # We have to resort to using pip to list installed packages, since `pipenv graph` doesn't support `--system`.
-pip list --disable-pip-version-check
+python -m ensurepip --default-pip >/dev/null
+pip list --disable-pip-version-check --exclude pip
 echo
 
 python -c 'import typing_extensions; print(typing_extensions)'

spec/hatchet/ci_spec.rb

@@ -87,7 +87,6 @@
           -----> Python app detected
           -----> Using Python #{DEFAULT_PYTHON_MAJOR_VERSION} specified in .python-version
           -----> Installing Python #{DEFAULT_PYTHON_FULL_VERSION}
-          -----> Installing pip #{PIP_VERSION}
           -----> Installing Pipenv #{PIPENV_VERSION}
           -----> Installing dependencies using 'pipenv install --deploy --dev'
                  Installing dependencies from Pipfile.lock \\(.+\\)...
@@ -103,14 +102,16 @@
                  LC_ALL=C.UTF-8
                  LD_LIBRARY_PATH=/app/.heroku/python/lib
                  LIBRARY_PATH=/app/.heroku/python/lib
-                 PATH=/app/.heroku/python/bin::/usr/local/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/
+                 PATH=/app/.heroku/python/pipenv/bin:/app/.heroku/python/bin::/usr/local/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/
+                 PIPENV_SYSTEM=1
                  PKG_CONFIG_PATH=/app/.heroku/python/lib/pkg-config
                  PYTHONUNBUFFERED=1
           -----> Inline app detected
           LANG=en_US.UTF-8
           LD_LIBRARY_PATH=/app/.heroku/python/lib
           LIBRARY_PATH=/app/.heroku/python/lib
-          PATH=/app/.heroku/python/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/
+          PATH=/app/.heroku/python/bin:/app/.heroku/python/pipenv/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/
+          PIPENV_SYSTEM=1
           PYTHONHASHSEED=random
           PYTHONHOME=/app/.heroku/python
           PYTHONPATH=/app
@@ -124,7 +125,8 @@
           LANG=en_US.UTF-8
           LD_LIBRARY_PATH=/app/.heroku/python/lib
           LIBRARY_PATH=/app/.heroku/python/lib
-          PATH=/app/.heroku/python/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/:/app/.sprettur/bin/
+          PATH=/app/.heroku/python/bin:/app/.heroku/python/pipenv/bin:/usr/local/bin:/usr/bin:/bin:/app/.sprettur/bin/:/app/.sprettur/bin/
+          PIPENV_SYSTEM=1
           PYTHONHASHSEED=random
           PYTHONHOME=/app/.heroku/python
           PYTHONPATH=/app
@@ -140,8 +142,7 @@
           -----> Using Python #{DEFAULT_PYTHON_MAJOR_VERSION} specified in .python-version
           -----> Restoring cache
           -----> Using cached install of Python #{DEFAULT_PYTHON_FULL_VERSION}
-          -----> Installing pip #{PIP_VERSION}
-          -----> Installing Pipenv #{PIPENV_VERSION}
+          -----> Using cached Pipenv #{PIPENV_VERSION}
           -----> Installing dependencies using 'pipenv install --deploy --dev'
                  Installing dependencies from Pipfile.lock \\(.+\\)...
                  Installing dependencies from Pipfile.lock \\(.+\\)...

spec/hatchet/package_manager_spec.rb

@@ -115,7 +115,6 @@
           remote: 
           remote: -----> Using Python #{DEFAULT_PYTHON_MAJOR_VERSION} specified in .python-version
           remote: -----> Installing Python #{DEFAULT_PYTHON_FULL_VERSION}
-          remote: -----> Installing pip #{PIP_VERSION}
           remote: -----> Installing Pipenv #{PIPENV_VERSION}
           remote: -----> Installing dependencies using 'pipenv install --deploy'
           remote:        Installing dependencies from Pipfile.lock \\(.+\\)...