Bump pipenv from 2026.5.2 to 2026.6.1

[dependabot]

Bumps pipenv from 2026.5.2 to 2026.6.1.

Release notes

Sourced from pipenv's releases.

Release v2026.6.1

🤖 AI-Generated Changelog

Fixed

• Prevent mutation of cached parsed Pipfile data during dependency locking, resolving potential issues with corrupted lock state across operations

Changed

• Updated development dependencies (pip group)

---

🔗 Full Changelog: pypa/pipenv@v2026.6.0...v2026.6.1

Release v2026.6.0

🤖 AI-Generated Changelog

Security

• Strip credentials from pip argument vectors to prevent credential exposure in logs and process listings (GHSA-8xgg-v3jj-95m2)
• Validate tar link targets in data_filter fallback to prevent path traversal during package installation (GHSA-p4qx-p8p6-4gjf)

Added

• Add documentation for git+ssh package sources in Pipfile

Fixed

• Fix PIPENV_PROJECT_DIR not being expanded correctly in Pipfile script definitions
• Fix pipenv shell breaking terminal input echo after exit
• Fix three regressions introduced in a prior release affecting resolver and marker environment handling
• Restore target_marker_version helper alias for backwards compatibility
• Fix _target_marker_environment returning incorrect value when allow_global=True

Changed

• Vendor in Pip 26.1
• Cache Pipfile parsing and parallelize hash and candidate lookups for improved performance

Dependencies

• Bump pygments from 2.19.2 to 2.20.0
• Bump pytest (development dependency)

---

🔗 Full Changelog: pypa/pipenv@v2026.5.2...v2026.6.0

Changelog

Sourced from pipenv's changelog.

2026.6.1 (2026-04-28)

pipenv 2026.6.1 (2026-04-28)

Bug Fixes

• Fix pipenv install corrupting existing inline-table or outline-table Pipfile entries (six = {version = "*"}, [packages.requests]). The locker was popping version/ref keys directly off the cached parsed_pipfile document, so subsequent writes emitted six = {} and dropped the version specifier from sibling packages. [#6657](https://github.com/pypa/pipenv/issues/6657) <https://github.com/pypa/pipenv/issues/6657>_

2026.6.0 (2026-04-27)

pipenv 2026.6.0 (2026-04-27)

Bug Fixes

• Fix pipenv shell breaking terminal input echo on Linux. The previous implementation toggled setecho(True/False) on the spawned child around its internal setup commands, which fought with the shell's own readline termios management — producing permanently-disabled echo (GH-6572) or double-echoed keystrokes (1234 → 11223344). fork_compat no longer touches pty termios; instead it drains the synchronisation sentinel from the pexpect buffer twice (once for the echoed command, once for its output) so nothing leaks into interact(). [#6633](https://github.com/pypa/pipenv/issues/6633) <https://github.com/pypa/pipenv/issues/6633>_
• pipenv run <command> -h <arg> now passes -h through to the command instead of showing pipenv's help. All arguments following run_command are captured verbatim via argparse REMAINDER, so flags like -h that pipenv itself also defines no longer collide with the wrapped command. [#6641](https://github.com/pypa/pipenv/issues/6641) <https://github.com/pypa/pipenv/issues/6641>_
• Fix ValueError: invalid literal for int() with base 10 when the Pipfile's [requires] section uses a PEP 440 specifier (e.g. python_version = ">=3.9"). Specifier values no longer produce a Python-version override; the running interpreter's actual version is used for marker evaluation instead. [#6645](https://github.com/pypa/pipenv/issues/6645) <https://github.com/pypa/pipenv/issues/6645>_
• Install-time marker filtering now evaluates environment markers against the target virtualenv's Python version rather than against the Python version that pipenv itself is running under. This prevents spurious Ignoring …: markers … don't match your environment warnings (and the corresponding missing installs) when pipenv sync --python X.Y is driven by a different system Python. [#6647](https://github.com/pypa/pipenv/issues/6647) <https://github.com/pypa/pipenv/issues/6647>_
• pipenv run now expands $PIPENV_PROJECT_DIR and other Pipenv-managed environment variables inside Pipfile script arguments before direct command execution, so project-relative script paths resolve correctly. [#6652](https://github.com/pypa/pipenv/issues/6652) <https://github.com/pypa/pipenv/issues/6652>_

... (truncated)

Commits

• da2c9d9 Release v2026.6.1
• e945cfe Bumped version to 2026.6.1.
• 1e9ca66 chore(deps-dev): bump the pip group across 1 directory with 2 updates (#6658)
• 87dffe0 fix: don't mutate cached parsed_pipfile when locking deps (#6657)
• 75a07fc Release v2026.6.0
• 2430757 Bumped version to 2026.6.0.
• 6c0e631 Vendor in Pip 26.1 (#6656)
• 4cf7d9f Fix Pipfile script expansion for PIPENV_PROJECT_DIR (#6655)
• 838d0b3 perf: cache Pipfile parse, parallelize hash/candidate lookups, harden benchma...
• 551d3ae docs: added git+ssh package source documentation for Pipfile (#6651)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)