Workflow

Pdm

Latest version: v2.23.0

Safety actively analyzes 723177 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 11 of 37

2.7.0

Not secure
---------------------------

Features & Improvements

- When keyring is available, either by importing or by CLI, the credentials of repositories and PyPI indexes will be saved into it. [1908](https://github.com/pdm-project/pdm/issues/1908)
- Add support for reading metadata from simple index directly. [1919](https://github.com/pdm-project/pdm/issues/1919)
- Add a configuration to specify constant command arguments for every pdm invocation. [1923](https://github.com/pdm-project/pdm/issues/1923)
- Add ability to skip SSL verification for publish repositories via `repository.custom.verify_ssl` config option as well as new command line argument of `publish` command. [1928](https://github.com/pdm-project/pdm/issues/1928)
- Use lazy import to reduce the startup time of the CLI. [1929](https://github.com/pdm-project/pdm/issues/1929)
- Add the local plugin scripts to `PATH` env var. [1944](https://github.com/pdm-project/pdm/issues/1944)

Bug Fixes

- Don't use install cache when installing build requirements to avoid race condition. [1869](https://github.com/pdm-project/pdm/issues/1869)
- Fix a number of `ResourceWarning`s when running the test suite with warnings enabled. [1915](https://github.com/pdm-project/pdm/issues/1915)
- Fix a bug that dev-dependencies group gets updated with the optional dependencies, causing the hash mismatch. [1916](https://github.com/pdm-project/pdm/issues/1916)
- Fix format conversion error from Poetry when `tool.poetry.build` doesn't exist. [1935](https://github.com/pdm-project/pdm/issues/1935)
- Add timeout when fetching .gitignore from GitHub. [1937](https://github.com/pdm-project/pdm/issues/1937)
- Keep the variables in the URL credentials when exporting. [1939](https://github.com/pdm-project/pdm/issues/1939)
- Convert to boolean when setting verify_ssl for custom indexes. [1945](https://github.com/pdm-project/pdm/issues/1945)
- `pdm import` clobbers `build-system.requires` value in `pyproject.toml`. [1948](https://github.com/pdm-project/pdm/issues/1948)

Documentation

- Update publish.md to use run instead of runs to match GitHub Actions steps documentation [1936](https://github.com/pdm-project/pdm/issues/1936)
- Update advanced.md to use `pdm sync` instead of `pdm install --no-lock`. [1947](https://github.com/pdm-project/pdm/issues/1947)

2.6.1

Not secure
---------------------------

Bug Fixes

- Fix the error when publishing using trusted publisher. [1868](https://github.com/pdm-project/pdm/issues/1868)
- Fix a bug that `PATH` env var isn't set correctly when running under non-isolation mode. [1904](https://github.com/pdm-project/pdm/issues/1904)

2.6.0

Not secure
---------------------------

Features & Improvements

- Install project-level plugins from project config, with `tool.pdm.plugins` setting. [1461](https://github.com/pdm-project/pdm/issues/1461)
- Added a `--json` flag to both `run` and `info` command allowing to dump scripts and infos as JSON. [1854](https://github.com/pdm-project/pdm/issues/1854)
- Consider tasks with a name starting by an underscore (`_`) as internal tasks and hide them from the listing. [1855](https://github.com/pdm-project/pdm/issues/1855)
- When running `pdm init -n`(non-interactive mode), a venv will be created by default. Previously, the selected Python will be used under PEP 582 mode. [1862](https://github.com/pdm-project/pdm/issues/1862)
- Support [Trusted Publisher](https://docs.pypi.org/trusted-publishers/). [#1868](https://github.com/pdm-project/pdm/issues/1868)
- Add an ephemeral wheel cache in process for wheels built from non-static revision sources. [1885](https://github.com/pdm-project/pdm/issues/1885)
- Allow self-referencing groups in dev-dependencies. [1890](https://github.com/pdm-project/pdm/issues/1890)
- Add an option `--no-cross-platform` to `pdm lock` to create a non-cross-platform lockfile. [1898](https://github.com/pdm-project/pdm/issues/1898)

Bug Fixes

- Fix brackets in `--venv` option descriptions in zsh completion script. [1847](https://github.com/pdm-project/pdm/issues/1847)
- The resolver doesn't take into account of the requirements for both bare `package` and `package[extra]`. [1851](https://github.com/pdm-project/pdm/issues/1851)
- Default pypi source does not use configured pypi.password, but "<hidden>" instead. [1856](https://github.com/pdm-project/pdm/issues/1856)
- Detect Python interpreters under the root of virtual environments. [1866](https://github.com/pdm-project/pdm/issues/1866)
- Fix a race condition when the builder is creating a new build directory. [1869](https://github.com/pdm-project/pdm/issues/1869)
- Raise `FileNotFoundError` if the requirement path is not found. [1875](https://github.com/pdm-project/pdm/issues/1875)
- Fix a bug that the self package isn't uninstallable. [1901](https://github.com/pdm-project/pdm/issues/1901)

2.5.6

Not secure
---------------------------

Bug Fixes

- Fix a double reading issue due to cachecontrol not compatible with urllib3 2.0. [1894](https://github.com/pdm-project/pdm/issues/1894)

2.5.5

Not secure
---------------------------

No significant changes.

2.5.4

Not secure
---------------------------

Bug Fixes

- Pin the urllib3 to `<2.0` to avoid incompatibility with `cachecontrol`. [1886](https://github.com/pdm-project/pdm/issues/1886)

Page 11 of 37

Links

Releases

Has known vulnerabilities

Previous Next

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.