Validate Python version when using --system flag#6453
Merged
Conversation
Fixes #6403 Previously, 'pipenv install --system --deploy' would silently proceed even if the system Python version didn't match the python_version specified in Pipfile/Pipfile.lock. This was because the version check was only performed when creating a new virtualenv, not when using --system. This moves the Python version check outside of the virtualenv creation block so it runs for both virtualenv and --system installations. When --deploy is used with an incompatible Python version, a DeployException is now properly raised.
matteius
added a commit
that referenced
this pull request
Mar 18, 2026
…check Fixes #6514 The check introduced in #6453 used a substring 'not in' test to compare the required Python version (from Pipfile [requires]) against the actual Python version. This produces false-negatives (silently accepting an incompatible interpreter) whenever the required version string happens to be a substring of the actual version string. Concrete example from the issue: required = "3.11" (python_version in Pipfile.lock) actual = "3.13.11" (system Python in the Docker image) "3.11" in "3.13.11" → True ← wrong: they are NOT compatible ("3.11" matches characters 3-6 of "3.13.11") This silently skipped the incompatibility warning/error, so 'pipenv install --deploy --system' succeeded when it should have aborted. Fix: replace the substring check with proper semantic version comparison via packaging.version.parse (already imported in the module): * When required_python_version has only two dot-separated components (i.e. python_version = "X.Y"), compare only the major and minor fields of the parsed versions. * When it has three or more components (python_full_version = "X.Y.Z"), require an exact match. The comparison is extracted into a module-level helper function _python_version_matches_required() to keep ensure_project() readable and to allow direct unit testing. Tests: 19 parametrised cases added in TestPythonVersionMatchesRequired, covering the exact substring-trap from the issue, additional ambiguous pairs ("3.9"/"3.9.10", "3.1"/"3.11.0", "3.11.1"/"3.11.10"), major-version mismatches, python_full_version exact-match and mismatch cases, and empty-string edge cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #6403
Previously,
pipenv install --system --deploywould silently proceed even if the system Python version didn't match thepython_versionspecified in Pipfile/Pipfile.lock. This was a significant gap in the--deploysafety checks.The Problem
The Python version validation code was only executed inside the
if not system_or_exists:block, which means it was skipped entirely when using--system. This allowed installations to proceed with an incompatible Python version without any warning or error.The Fix
This PR moves the Python version check outside of the virtualenv creation block so it runs for both:
--systeminstallationsWhen
--deployis used with an incompatible Python version, aDeployExceptionis now properly raised.The fix also adjusts the warning message: the suggestion to use
pipenv --rmis only shown for virtualenv installations (not--system).Testing
Before this fix (using the Dockerfile from the issue):
After this fix:
Checklist
--system#6403news/6403.bugfix.rstPull Request opened by Augment Code with guidance from the PR author