Add name key to sources in Pipfiles

[jeffwidman]

Newer versions of pipenv require any specified sources to be
explicitly name'd.

More context here: pypa/pipenv#5370 (comment)

This has been true since at least Sept 2022. Our version of pipenv is
from April of 2022, so it doesn't complain. But it will as soon as we upgrade.

Also, for sources that dynamically injects into the
Pipfile, they need a name. These sources are stripped from the final
Pipfile / Pipfile.lock during the FileUpdater#post_process_lockfile
method, so all we need is a placeholder name to placate pipenv.

Long term, we may want to add custom error handling to flag this
missing key as a Dependabot::DependencyFileNotResolvable error.

But I decided that was out of scope for now as this PR does not generate
the error... that will not happen until we upgrade to newer pipenv.
And even at that point, our first priority will be upgrading, and then
from there handling any new errors that start popping up.

And even then, most of the active users of pipenv are unlikely to see this
error because they're likely running a newer version of pipenv.

[jeffwidman]

Likely there will be hash mismatches in the fixture lockfiles, so they'll need regenerating... if so, probably best to only do what's necessary to get past CI... as no point in regenerating in this PR using an older version of pipenv only to have to regenerate them again under the newer version of pipenv... and probably best to wait until we switch to pipenv upgrade so that we don't have to regenerate yet again:

• Regenerate pipenv lockfiles used as test fixtures #7697
• Bump pipenv from 2022.4.8 to 2023.7.23 in /python/helpers #7715
• Switch to leveraging pipenv's new pipenv upgrade command #6836

[jeffwidman]

This was the only lockfile that the tests required to have an updated hash.

I strongly suspect the hashes are outdated for the other fixture lockfiles, but again, we can regenerate them all after updating to latest pipenv once we drop Python 3.7.

[jeffwidman]

We got a report via a support ticket that opened a PR that included index: dependabot-inserted-index-0 in Pipfile.lock. So this PR introduced some bug...

Unfortunately, I can't repro and the affected user's repo is a private company so I can't access their repo and they are migrating to a different python package manager so decided it wasn't worthwhile for them to try to create a reproducible example.

The one observation they made:

the bad index seems to be added while updating the sub-dependencies of our private libs.

If anyone else encounters this, please feel free to file a new issue, preferably here in dependabot-core and linking to reproducible example and I'd be happy to take a look.

[juanitosvq]

We are having the same issue but unfortunately also in a private repository 😞

It looks like older versions of pipenv are happy with that new index, but certainly the newest version pipenv-2023.8.28 is not:

Successfully uninstalled pipenv-2023.2.4

..............................................................................................................................

Installing dependencies from Pipfile.lock (923e0b)...
--
125 | Unable to find dependabot-inserted-index-0 in sources, please check
126 | dependencies:

We also have private libraries, so not sure I'll be able to create a reproducible example.

[jeffwidman]

@juanitosvq Can you at least create a new issue describing what you're seeing? The pipenv maintainers are great folks and we have good lines of communication open with them, so maybe between all of us we can get it figured out...

But this isn't a conversation we should be having on an already merged PR... 😁