After encountering a few nightmares with Python versions, I tried pyenv and pipenv. But when installing pygame and seaborn with pipenv, I noticed the installation happens in a few seconds and the Installation Succeeded message would appear immediately. Then there are some locking messages shown and there's a long waiting time of a few minutes where it shows a loading icon saying Locking.
During this time, there's a huge amount of data being downloaded. Image shown below. What is this data being downloaded? Why is it necessary? Can it be disabled? I'm wary of using pipenv now.

This sounds related to https://github.com/pypa/pipenv/issues/3827:

pipenv lock downloads every available artifact of installed packages and their dependencies. It does this to calculate their hashes, even when the artifact url includes the hash in a fragment. For some large packages, such as scipy, which have large dependencies and many artifacts per version, this behavior can result in unreasonably long delays for some users (893MB vs. 50MB download).

A workaround in the form of a patch for the pipenv source code is given in this bug report itself. It takes the hash from the artifact URL if possible instead of always recomputing it, which seems to drastically improve locking time.

Link to workaround: https://github.com/pypa/pipenv/blob/4c003521052d3b607be5abedf989744a5c172bda/pipenv/patched/piptools/repositories/pypi.py#L60-L71

if pipenv locking gets stuck somewhere do

$ pipenv install --skip-lock
$ pipenv lock

first skip the lock part by --skip-lock then manually do locking later when you have time
it works.

This sounds related to https://github.com/pypa/pipenv/issues/3827:

pipenv lock downloads every available artifact of installed packages and their dependencies. It does this to calculate their hashes, even when the artifact url includes the hash in a fragment. For some large packages, such as scipy, which have large dependencies and many artifacts per version, this behavior can result in unreasonably long delays for some users (893MB vs. 50MB download).

A workaround in the form of a patch for the pipenv source code is given in this bug report itself. It takes the hash from the artifact URL if possible instead of always recomputing it, which seems to drastically improve locking time.

Link to workaround: https://github.com/pypa/pipenv/blob/4c003521052d3b607be5abedf989744a5c172bda/pipenv/patched/piptools/repositories/pypi.py#L60-L71

Because the developers of pipenv are strange. Yes, they are strange.

In short, pipenv is trying to download every dependency to calculate the hash. So it can generate a lock file with hash. Well, easy to understand that this is important to ensure a consistent environment.

But the problem is, in the past, this is the only way, as Pypi didn't provide hash for the packages. While for now, it is just ridiculous as Pypi does provide the hash for every package. There is no need for downloading the whole package to just get the hashtag. At least if you can get the hashtag directly from the metadata.

For an unknown reason, the developers of pipenv just don't want to make any change on this.