pipenv lock fails when Pipfile has several sources from v2022.3.23

[ysk24ok]

Issue description

When Pipfile has multiple sources e.g. public and private pypi servers, and the public (default) one is not declared first, pipenv lock fails.
With pipenv v2022.1.8 it worked fine, but with v2022.3.23 or newer it shows an error.

If this change is intentional, it's kind of breaking backward compatibility, so I think it needs to be written in the release note or the documentation.

Expected result

pipenv lock succeeds.

Actual result

No matching distribution found for requests will be shown.

Locking [dev-packages] dependencies...
Locking [packages] dependencies...
Building requirements...
Resolving dependencies...
✘ Locking Failed!

CRITICAL:pipenv.patched.notpip._internal.resolution.resolvelib.factory:Could not find a version that satisfies the requirement requests (from versions: none)
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/resolver.py", line 743, in _main
[ResolutionFailure]:       resolve_packages(pre, clear, verbose, system, write, requirements_dir, packages, dev)
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/resolver.py", line 704, in resolve_packages
[ResolutionFailure]:       results, resolver = resolve(
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/resolver.py", line 685, in resolve
[ResolutionFailure]:       return resolve_deps(
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/utils.py", line 1398, in resolve_deps
[ResolutionFailure]:       results, hashes, markers_lookup, resolver, skipped = actually_resolve_deps(
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/utils.py", line 1127, in actually_resolve_deps
[ResolutionFailure]:       resolver.resolve()
[ResolutionFailure]:   File "/usr/local/lib/python3.8/site-packages/pipenv/utils.py", line 905, in resolve
[ResolutionFailure]:       raise ResolutionFailure(message=str(e))
[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
  You can use $ pipenv install --skip-lock to bypass this mechanism, then run $ pipenv graph to inspect the situation.
  Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: No matching distribution found for requests

Steps to replicate

Here's Pipfile.

[[source]]
name = "private"
url = "URL"
verify_ssl = true

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[packages]
requests = "*"  # I use requests as an example, but any package will be OK.
mypackage = {version = "*", index = "private"}

Run pipenv lock.

$ pip3 install pipenv==2022.3.28
$ pipenv lock

---

$ pipenv --support

Pipenv version: '2022.3.28'

Pipenv location: '/usr/local/lib/python3.8/site-packages/pipenv'

Python location: '/usr/local/bin/python'

Python installations found:

• 3.9.2: /usr/bin/python3.9
• 3.9.2: /usr/bin/python3
• 3.8.12: /usr/local/bin/python
• 3.8.12: /usr/local/bin/python3
• 3.8.12: /usr/local/bin/python3.8

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.8.12',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '5.10.104-linuxkit',
 'platform_system': 'Linux',
 'platform_version': '#1 SMP Wed Mar 9 19:05:23 UTC 2022',
 'python_full_version': '3.8.12',
 'python_version': '3.8',
 'sys_platform': 'linux'}

System environment variables:

• HOSTNAME
• PYTHON_VERSION
• PWD
• PYTHON_SETUPTOOLS_VERSION
• JFROG_USER
• HOME
• LANG
• GPG_KEY
• TERM
• SHLVL
• PYTHON_PIP_VERSION
• PYTHON_GET_PIP_SHA256
• PYTHON_GET_PIP_URL
• PATH
• JFROG_TOKEN
• _
• PIP_SHIMS_BASE_MODULE
• PIP_DISABLE_PIP_VERSION_CHECK
• PYTHONDONTWRITEBYTECODE
• PIP_PYTHON_PATH
• PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

• PATH: /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
• LANG: C.UTF-8
• PWD: /root/pipenv-test

---

Contents of Pipfile ('/root/pipenv-test/Pipfile'):

[[source]]
url = "https://$JFROG_USER:$JFROG_TOKEN@mercari.jfrog.io/mercari/api/pypi/pypi-local/simple/"
verify_ssl = true
name = "local"

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[packages]
requests = "*"
authority-sdk-python = {version = "*", index = "local"}
#requests = {version = "*", index = "pypi"}

[matteius]

@ysk24ok I started working on documentation improvements related to this, but basically the 2022.3.x releases of pipenv changed to treat indexes strictly to prevent package confusion attacks. The first index in the Pipfile is considered the default index for the project and technically while this fact did not change, how we uses the indexes to search and resolve has become more strict so no package will ever search more than one index to be resolved. Please see this PR for more details and feel free to recommend additional improvements to the docs or feature flags that would be helpful: #5029

[ysk24ok]

Thank you for the info, and your hard work! You're already working on doc improvements, so it should be OK.
Let me close this issue.