Pip

=================

Deprecations and Removals
-------------------------

- Deprecate the ``no-python-version-warning`` flag as it has long done nothing
since Python 2 support was removed in pip 21.0. (`13154 <https://github.com/pypa/pip/issues/13154>`_)

Features
--------

- Prefer to display :pep:`639` ``License-Expression`` in ``pip show`` if metadata version is at least 2.4. (`13112 <https://github.com/pypa/pip/issues/13112>`_)
- Support :pep:`639` ``License-Expression`` and ``License-File`` metadata fields in JSON
output. ``pip inspect`` and ``pip install --report`` now emit
``license_expression`` and ``license_file`` fields in the ``metadata`` object,
if the corresponding fields are present in the installed ``METADATA`` file. (`13134 <https://github.com/pypa/pip/issues/13134>`_)
- Files in the network cache will inherit the read/write permissions of pip's cache
directory (in addition to the current user retaining read/write access). This
enables a single cache to be shared among multiple users. (`11012 <https://github.com/pypa/pip/issues/11012>`_)
- Return the size, along with the number, of files cleared on ``pip cache purge`` and ``pip cache remove`` (`12176 <https://github.com/pypa/pip/issues/12176>`_)
- Cache ``python-requires`` checks while filtering potential installation candidates. (`13128 <https://github.com/pypa/pip/issues/13128>`_)
- Optimize package collection by avoiding unnecessary URL parsing and other processing. (`13132 <https://github.com/pypa/pip/issues/13132>`_)

Bug Fixes
---------

- Reorder the encoding detection when decoding a requirements file, relying on
UTF-8 over the locale encoding by default, matching the documented behaviour.
(`12771 <https://github.com/pypa/pip/issues/12771>`_)
- The pip version self check is disabled on ``EXTERNALLY-MANAGED`` environments. (`11820 <https://github.com/pypa/pip/issues/11820>`_)
- Fix a security bug allowing a specially crafted wheel to execute code during
installation. (`13079 <https://github.com/pypa/pip/issues/13079>`_)
- The inclusion of ``packaging`` 24.2 changes how pre-release specifiers with ``<`` and ``>``
behave. Including a pre-release version with these specifiers now implies
accepting pre-releases (e.g., ``<2.0dev`` can include ``1.0rc1``). To avoid
implying pre-releases, avoid specifying them (e.g., use ``<2.0``).
The exception is ``!=``, which never implies pre-releases. (`13163 <https://github.com/pypa/pip/issues/13163>`_)
- The ``--cert`` and ``--client-cert`` command-line options are now respected while
installing build dependencies. Consequently, the private ``_PIP_STANDALONE_CERT``
environment variable is no longer used. (`5502 <https://github.com/pypa/pip/issues/5502>`_)
- The ``--proxy`` command-line option is now respected while installing build dependencies. (`6018 <https://github.com/pypa/pip/issues/6018>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.1
- Upgrade idna to 3.10
- Upgrade msgpack to 1.1.0
- Upgrade packaging to 24.2
- Upgrade platformdirs to 4.3.6
- Upgrade pyproject-hooks to 1.2.0
- Upgrade rich to 13.9.4
- Upgrade tomli to 2.2.1

Improved Documentation
----------------------

- Removed section about non-existing ``--force-keyring`` flag. (`12455 <https://github.com/pypa/pip/issues/12455>`_)

Process
-------

- Started releasing to PyPI from a GitHub Actions CI/CD workflow that implements trusted publishing and bundles :pep:`740` digital attestations.

===================

Bug Fixes
---------

- Allow multiple nested inclusions of the same requirements file again. (`13046 <https://github.com/pypa/pip/issues/13046>`_)

=================

Deprecations and Removals
-------------------------

- Deprecate wheel filenames that are not compliant with :pep:`440`. (`12918 <https://github.com/pypa/pip/issues/12918>`_)

Features
--------

- Detect recursively referencing requirements files and help users identify
the source. (`12653 <https://github.com/pypa/pip/issues/12653>`_)
- Support for :pep:`730` iOS wheels. (`12961 <https://github.com/pypa/pip/issues/12961>`_)

Bug Fixes
---------

- Display a better error message when an already installed package has an invalid requirement. (`12953 <https://github.com/pypa/pip/issues/12953>`_)
- Ignore ``PIP_TARGET`` and ``pip.conf`` ``global.target`` when preparing a build environment. (`8438 <https://github.com/pypa/pip/issues/8438>`_)
- Restore support for macOS 10.12 and older (via truststore). (`12901 <https://github.com/pypa/pip/issues/12901>`_)
- Allow installing pip in editable mode in a virtual environment on Windows. (`12666 <https://github.com/pypa/pip/issues/12666>`_)

Vendored Libraries
------------------

- Upgrade certifi to 2024.8.30
- Upgrade distlib to 0.3.9
- Upgrade truststore to 0.10.0
- Upgrade urllib3 to 1.26.20

=================

Deprecations and Removals
-------------------------

- Deprecate ``pip install --editable`` falling back to ``setup.py develop``
when using a setuptools version that does not support :pep:`660`
(setuptools v63 and older). (`11457 <https://github.com/pypa/pip/issues/11457>`_)

Features
--------

- Check unsupported packages for the current platform. (`11054 <https://github.com/pypa/pip/issues/11054>`_)
- Use system certificates *and* certifi certificates to verify HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.

To revert to previous behaviour, pass the flag ``--use-deprecated=legacy-certs``. (`11647 <https://github.com/pypa/pip/issues/11647>`_)
- Improve discovery performance of installed packages when the ``importlib.metadata``
backend is used to load distribution metadata (used by default under Python 3.11+). (`12656 <https://github.com/pypa/pip/issues/12656>`_)
- Improve performance when the same requirement string appears many times during
resolution, by consistently caching the parsed requirement string. (`12663 <https://github.com/pypa/pip/issues/12663>`_)
- Minor performance improvement of finding applicable package candidates by not
repeatedly calculating their versions (`12664 <https://github.com/pypa/pip/issues/12664>`_)
- Disable pip's self version check when invoking a pip subprocess to install
PEP 517 build requirements. (`12683 <https://github.com/pypa/pip/issues/12683>`_)
- Improve dependency resolution performance by caching platform compatibility
tags during wheel cache lookup. (`12712 <https://github.com/pypa/pip/issues/12712>`_)
- ``wheel`` is no longer explicitly listed as a build dependency of ``pip``.
``setuptools`` injects this dependency in the ``get_requires_for_build_wheel()``
hook and no longer needs it on newer versions. (`12728 <https://github.com/pypa/pip/issues/12728>`_)
- Ignore ``--require-virtualenv`` for ``pip check`` and ``pip freeze`` (`12842 <https://github.com/pypa/pip/issues/12842>`_)
- Improve package download and install performance.

Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar. (`12810 <https://github.com/pypa/pip/issues/12810>`_)
- Improve pip install performance.

Files are now extracted in 1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when extracting 0 bytes files,
it is not necessary because there is no data to decompress. (`12803 <https://github.com/pypa/pip/issues/12803>`_)

Bug Fixes
---------

- Set ``no_color`` to global ``rich.Console`` instance. (`11045 <https://github.com/pypa/pip/issues/11045>`_)
- Fix resolution to respect ``--python-version`` when checking ``Requires-Python``. (`12216 <https://github.com/pypa/pip/issues/12216>`_)
- Perform hash comparisons in a case-insensitive manner. (`12680 <https://github.com/pypa/pip/issues/12680>`_)
- Avoid ``dlopen`` failure for glibc detection in musl builds (`12716 <https://github.com/pypa/pip/issues/12716>`_)
- Avoid keyring logging crashes when pip is run in verbose mode. (`12751 <https://github.com/pypa/pip/issues/12751>`_)
- Fix finding hardlink targets in tar files with an ignored top-level directory. (`12781 <https://github.com/pypa/pip/issues/12781>`_)
- Improve pip install performance by only creating required parent
directories once, instead of before extracting every file in the wheel. (`12782 <https://github.com/pypa/pip/issues/12782>`_)
- Improve pip install performance by calculating installed packages printout
in linear time instead of quadratic time. (`12791 <https://github.com/pypa/pip/issues/12791>`_)

Vendored Libraries
------------------

- Remove vendored tenacity.
- Update the preload list for the ``DEBUNDLED`` case, to replace ``pep517`` that has been renamed to ``pyproject_hooks``.
- Use tomllib from the stdlib if available, rather than tomli
- Upgrade certifi to 2024.7.4
- Upgrade platformdirs to 4.2.2
- Upgrade pygments to 2.18.0
- Upgrade setuptools to 70.3.0
- Upgrade typing_extensions to 4.12.2

Improved Documentation
----------------------

- Correct ``—-ignore-conflicts`` (including an em dash) to ``--ignore-conflicts``. (`12851 <https://github.com/pypa/pip/issues/12851>`_)

===================

Bug Fixes
---------

- Fix finding hardlink targets in tar files with an ignored top-level directory. (`12781 <https://github.com/pypa/pip/issues/12781>`_)

===================

Bug Fixes
---------

- Actually use system trust stores when the truststore feature is enabled.

Vendored Libraries
------------------

- Upgrade requests to 2.32.3