I know this is a shitpost, but for anyone that still does serious development with Python, Pipenv is a literal meme. Avoid.
Using requirement file extensions with the -r flag allow you to have a separate requirements.txt for development and other for production. Even better, you can have an arbitrary amount of "environments".
To use it, just add the -r flag inside a requirements file. e.g. you have a prod.txt with all your production dependencies, you could create a separate dev.txt whose first line is "-r prod.txt". Then when you do "pip install -r dev.txt" you will install both production and development dependencies. In production of course you would do "pip install -r prod.txt".
You can create lockfiles easily with pip. Just run "pip freeze > lock.txt" and it will write your currently installed versions of everything into the lock.txt file. To enforce the versions listed in lock.txt when running pip install, just add "-c lock.txt" after the "-r whatever" in your lockfiles.
`python -m venv .venv && source .venv/bin/activate` for virtual environments.
And that's it. Besides hash integrity checks (who cares? the real deal is verifying GPG signatures of packages, but I don't think setuptools even support those), you got a faster, leaner, and way more consistent "Pipenv". No longer you need to read the source code to understand why in the fuck installing a new package updates every single other installed package, or catch that little print that explains about Docker deployments (it's --system, or it was --deploy?), or that other littler print that explains about install vs. sync (not knowing this means that the Pipfile.lock gets completely ignored, turning the whole thing into a worse Pip).