Dev package overwrites version in package

[ipmb]

Describe your environment

1. MacOS
2. Python version: Python 3.6.3
3. Pipenv version: pipenv, version 9.0.0

Expected result

dev-packages do not override packages. In the example below, Django 1.11.6 should be the only version included in the lockfile.

Actual result

max:tmp pete$ pipenv install django==1.11.6
Creating a virtualenv for this project…
⠋Using base prefix '/usr/local/Cellar/python3/3.6.3/Frameworks/Python.framework/Versions/3.6'
New python executable in /Users/pete/.virtualenvs/tmp-n8UXe2BB/bin/python3.6
Also creating executable in /Users/pete/.virtualenvs/tmp-n8UXe2BB/bin/python
Installing setuptools, pip, wheel...done.

Virtualenv location: /Users/pete/.virtualenvs/tmp-n8UXe2BB
Creating a Pipfile for this project…
Installing django==1.11.6…
Collecting django==1.11.6
  Using cached Django-1.11.6-py2.py3-none-any.whl
Collecting pytz (from django==1.11.6)
  Using cached pytz-2017.3-py2.py3-none-any.whl
Installing collected packages: pytz, django
Successfully installed django-1.11.6 pytz-2017.3

Adding django==1.11.6 to Pipfile's [packages]…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (548cfe)!
max:tmp pete$ pipenv install django-debug-toolbar --dev
Installing django-debug-toolbar…
Collecting django-debug-toolbar
  Using cached django_debug_toolbar-1.9.1-py2.py3-none-any.whl
Collecting sqlparse>=0.2.0 (from django-debug-toolbar)
  Using cached sqlparse-0.2.4-py2.py3-none-any.whl
Requirement already satisfied: Django>=1.8 in /Users/pete/.virtualenvs/tmp-n8UXe2BB/lib/python3.6/site-packages (from django-debug-toolbar)
Requirement already satisfied: pytz in /Users/pete/.virtualenvs/tmp-n8UXe2BB/lib/python3.6/site-packages (from Django>=1.8->django-debug-toolbar)
Installing collected packages: sqlparse, django-debug-toolbar
Successfully installed django-debug-toolbar-1.9.1 sqlparse-0.2.4

Adding django-debug-toolbar to Pipfile's [dev-packages]…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (0c8a93)!
max:tmp pete$ grep \"django\" -A5 Pipfile.lock
        "django": {
            "hashes": [
                "sha256:7ab6a9c798a5f9f359ee6da3677211f883fb02ef32cebe9b29751eb7a871febf",
                "sha256:c3b42ca1efa1c0a129a9e863134cc3fe705c651dea3a04a7998019e522af0c60"
            ],
            "version": "==1.11.6"
--
        "django": {
            "hashes": [
                "sha256:af18618ce3291be5092893d8522fe3919661bf3a1fb60e3858ae74865a4f07c2",
                "sha256:9614851d4a7ff8cbd32b73c6076441f377c45a5bbff7e771798fb02c43c31f47"
            ],
            "version": "==2.0"

Django 1.11.6 (the expected package) is there, but Django 2.0 is incorrectly included in the dev-packages.

Steps to replicate

From an empty directory:

pipenv install django==1.11.6
pipenv install django-debug-toolbar --dev

[techalchemy]

Hi @ipmb, thanks for reporting. We are aware of this bug which was first reported in #1172, and it is fixed in master by #1173 and scheduled for a hotfix release later today. Sorry for the inconvenience (on a personal note, I introduced the bug, I really AM sorry!) and thanks for your patience. In the meantime I'm going to close this issue-- expect a fix to hit PyPI shortly

[ipmb]

This issue still exists in 9.0.1. To reproduce:

pipenv install Django==1.11.6
pipenv install django-debug-toolbar --dev
pipenv install --dev
pipenv run pip freeze | grep Django

Expected result: Django==1.11.6
Actual result: Django==2.0

[ipmb]

Open issue at #1220