Bump pipenv from 2026.5.2 to 2026.6.2

[dependabot]

Bumps pipenv from 2026.5.2 to 2026.6.2.

Release notes

Sourced from pipenv's releases.

Release v2026.6.2

🤖 AI-Generated Changelog

Added

• Support cool-down-period configuration in the [pipenv] section of the Pipfile

Fixed

• Credentials defined in Pipfile now take precedence over .netrc; environment variables in pylock source URLs are now expanded correctly
• Re-lock all Pipfile entries when running pipenv update with no packages specified

Changed

• Bump plette vendor dependency to 2.2.1
• Bump idna dependency in the pip group

---

🔗 Full Changelog: pypa/pipenv@v2026.6.1...v2026.6.2

Release v2026.6.1

🤖 AI-Generated Changelog

Fixed

• Prevent mutation of cached parsed Pipfile data during dependency locking, resolving potential issues with corrupted lock state across operations

Changed

• Updated development dependencies (pip group)

---

🔗 Full Changelog: pypa/pipenv@v2026.6.0...v2026.6.1

Release v2026.6.0

🤖 AI-Generated Changelog

Security

• Strip credentials from pip argument vectors to prevent credential exposure in logs and process listings (GHSA-8xgg-v3jj-95m2)
• Validate tar link targets in data_filter fallback to prevent path traversal during package installation (GHSA-p4qx-p8p6-4gjf)

Added

• Add documentation for git+ssh package sources in Pipfile

Fixed

• Fix PIPENV_PROJECT_DIR not being expanded correctly in Pipfile script definitions
• Fix pipenv shell breaking terminal input echo after exit
• Fix three regressions introduced in a prior release affecting resolver and marker environment handling
• Restore target_marker_version helper alias for backwards compatibility
• Fix _target_marker_environment returning incorrect value when allow_global=True

... (truncated)

Changelog

Sourced from pipenv's changelog.

2026.6.2 (2026-06-02)

pipenv 2026.6.2 (2026-06-02)

Features & Improvements

• Added support for cool-down-period in the [pipenv] section of the Pipfile. Setting cool-down-period = "30d" instructs the resolver to only consider package versions uploaded at least the specified number of days ago, via pip's --uploaded-prior-to flag.

Bug Fixes

• Restored authentication to private indexes when [[source]] URLs use environment-variable placeholders. The GHSA-8xgg-v3jj-95m2 fix moved credentials off pip's argv onto a merged netrc, but write_credentials_netrc wrote our Pipfile-derived machine blocks BEFORE the appended user netrc — and netrc.authenticators() returns the LAST matching entry, so a stale system entry for the same host silently overrode the freshly-expanded creds. Our blocks now come AFTER the user's existing content. Additionally, the pylock.toml reader now runs expand_url_credentials over its sources so users with [pipenv] use_pylock = true see the same env-var expansion that Pipfile.lock reads have always had. [#6670](https://github.com/pypa/pipenv/issues/6670) <https://github.com/pypa/pipenv/issues/6670>_
• Restored documented pipenv update (no args) semantics of lock + sync. Since 2026.0.0, pipenv update only re-resolved Pipfile entries whose locked version no longer satisfied the Pipfile specifier, so relaxing a pin (e.g. urllib3 = "<2.7.0" → urllib3 = "*") would not pick up newer allowed releases — the lockfile silently stayed at the existing pin. pipenv update now routes through do_lock when no packages are given, re-resolving every Pipfile entry. The targeted pipenv update <pkg> path is unchanged. [#6672](https://github.com/pypa/pipenv/issues/6672) <https://github.com/pypa/pipenv/issues/6672>_

Vendored Libraries

• Bump vendored plette to 2.2.1.

2026.6.1 (2026-04-28)

pipenv 2026.6.1 (2026-04-28)

Bug Fixes

... (truncated)

Commits

• 31296c5 Merge pull request #6679 from pypa/ci/update-github-actions
• 19c1717 ci: update GitHub Actions to latest versions
• fdd6c7c Changelog
• ab4a77b Bumped version to 2026.6.2.
• c1739c9 Merge pull request #6671 from pypa/fix/6670-env-var-source-url-auth
• b7605d0 Merge pull request #6674 from pypa/dependabot/pip/pip-d665ee01e3
• de873e1 Merge pull request #6675 from pypa/fix/6672-update-relock-when-no-packages
• 04b8693 fix(update): re-lock all Pipfile entries when no packages are given (#6672)
• cdaea3f chore(deps): bump idna in the pip group across 0 directory
• eff007f chore(deps): bump idna in /examples in the pip group across 1 directory (#6673)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

MarkdownLint Results

1 tests  ±0   1 ✅ ±0   0s ⏱️ ±0s
1 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 01d153d. ± Comparison against base commit ba914a8.