diff --git a/news/4517.bugfix.rst b/news/4517.bugfix.rst
new file mode 100644
index 00000000..d8cd4c3e
--- /dev/null
+++ b/news/4517.bugfix.rst
@@ -0,0 +1 @@
+Restrict the acceptable hash type to SHA256 only.
diff --git a/pipenv/patched/piptools/repositories/pypi.py b/pipenv/patched/piptools/repositories/pypi.py
index 8f742713..c87a4e71 100644
--- a/pipenv/patched/piptools/repositories/pypi.py
+++ b/pipenv/patched/piptools/repositories/pypi.py
@@ -81,8 +81,8 @@ class HashCache(SafeFileCache):
         if can_hash:
             # hash url WITH fragment
             hash_value = self.get(new_location.url)
-            if not hash_value:
-                hash_value = "{}:{}".format(new_location.hash_name, new_location.hash)
+            if not hash_value and new_location.hash_name == FAVORITE_HASH:
+                hash_value = "{}:{}".format(FAVORITE_HASH, new_location.hash)
                 hash_value = hash_value.encode('utf8')
         if not hash_value:
             hash_value = self._get_file_hash(new_location) if not new_location.url.startswith("ssh") else None
diff --git a/tasks/vendoring/patches/patched/piptools.patch b/tasks/vendoring/patches/patched/piptools.patch
index d4bda87b..015399da 100644
--- a/tasks/vendoring/patches/patched/piptools.patch
+++ b/tasks/vendoring/patches/patched/piptools.patch
@@ -285,8 +285,8 @@ index ef5ba4e..8f74271 100644
 +        if can_hash:
 +            # hash url WITH fragment
 +            hash_value = self.get(new_location.url)
-+            if not hash_value:
-+                hash_value = "{}:{}".format(new_location.hash_name, new_location.hash)
++            if not hash_value and new_location.hash_name == FAVORITE_HASH:
++                hash_value = "{}:{}".format(FAVORITE_HASH, new_location.hash)
 +                hash_value = hash_value.encode('utf8')
 +        if not hash_value:
 +            hash_value = self._get_file_hash(new_location) if not new_location.url.startswith("ssh") else None