Fix pipenv update --dev updating transitive deps independently

matteius · matteius · commit 44bf74a314cc · 2025-12-10T00:40:45.000-05:00
When running 'pipenv update --dev' or 'pipenv update --categories develop', transitive dependencies in the develop section were being updated independently from the default section. This could result in version bumps (including major version changes) for shared packages between default and develop. The fix adds the same 'overwrite_with_default()' logic from lock.py to update.py, ensuring that any packages present in both default and develop sections use the version from default. Fixes #6420
diff --git a/news/6420.bugfix.rst b/news/6420.bugfix.rst
@@ -0,0 +1,7 @@
+Fix ``pipenv update --dev`` (and ``pipenv update --categories develop``) updating
+transitive dependencies in the ``develop`` section independently from the ``default``
+section. Now, any packages that appear in both ``default`` and ``develop`` will use
+the version from ``default``, ensuring consistent dependency versions between
+production and development environments.
+
+Fixes #6420
diff --git a/pipenv/routines/update.py b/pipenv/routines/update.py
@@ -8,6 +8,7 @@
 from pipenv.exceptions import JSONParseError, PipenvCmdError
 from pipenv.patched.pip._vendor.packaging.specifiers import SpecifierSet
 from pipenv.patched.pip._vendor.packaging.version import InvalidVersion, Version
+from pipenv.routines.lock import overwrite_with_default
 from pipenv.routines.outdated import do_outdated
 from pipenv.routines.sync import do_sync
 from pipenv.utils import err
@@ -653,6 +654,16 @@ def upgrade(
         if not has_package_args:
             package_args = []
 
+    # Overwrite any non-default category packages with default packages (if present)
+    # This ensures transitive dependencies in develop match the versions from default
+    for category in categories:
+        if category == "default":
+            continue
+        if lockfile.get(category):
+            lockfile[category].update(
+                overwrite_with_default(lockfile.get("default", {}), lockfile[category])
+            )
+
     # Update and write lockfile
     lockfile.update({"_meta": project.get_lockfile_meta()})
     project.write_lockfile(lockfile)
