Pip

Latest version: v24.1

Safety actively analyzes 640563 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 10 of 25

20.1

Not secure
=================

Process
-------

- Document that pip 21.0 will drop support for Python 2.7.

Features
--------

- Add ``pip cache dir`` to show the cache directory. (`7350 <https://github.com/pypa/pip/issues/7350>`_)

Bug Fixes
---------

- Abort pip cache commands early when cache is disabled. (`8124 <https://github.com/pypa/pip/issues/8124>`_)
- Correctly set permissions on metadata files during wheel installation,
to permit non-privileged users to read from system site-packages. (`8139 <https://github.com/pypa/pip/issues/8139>`_)

20.1b1

Not secure
===================

Deprecations and Removals
-------------------------

- Remove emails from AUTHORS.txt to prevent usage for spamming, and only populate names in AUTHORS.txt at time of release (`5979 <https://github.com/pypa/pip/issues/5979>`_)
- Remove deprecated ``--skip-requirements-regex`` option. (`7297 <https://github.com/pypa/pip/issues/7297>`_)
- Building of local directories is now done in place, instead of a temporary
location containing a copy of the directory tree. (`7555 <https://github.com/pypa/pip/issues/7555>`_)
- Remove unused ``tests/scripts/test_all_pip.py`` test script and the ``tests/scripts`` folder. (`7680 <https://github.com/pypa/pip/issues/7680>`_)

Features
--------

- pip now implements PEP 610, so ``pip freeze`` has better fidelity
in presence of distributions installed from Direct URL requirements. (`609 <https://github.com/pypa/pip/issues/609>`_)
- Add ``pip cache`` command for inspecting/managing pip's wheel cache. (`6391 <https://github.com/pypa/pip/issues/6391>`_)
- Raise error if ``--user`` and ``--target`` are used together in ``pip install`` (`7249 <https://github.com/pypa/pip/issues/7249>`_)
- Significantly improve performance when ``--find-links`` points to a very large HTML page. (`7729 <https://github.com/pypa/pip/issues/7729>`_)
- Indicate when wheel building is skipped, due to lack of the ``wheel`` package. (`7768 <https://github.com/pypa/pip/issues/7768>`_)
- Change default behaviour to always cache responses from trusted-host source. (`7847 <https://github.com/pypa/pip/issues/7847>`_)
- An alpha version of a new resolver is available via ``--unstable-feature=resolver``. (`988 <https://github.com/pypa/pip/issues/988>`_)

Bug Fixes
---------

- Correctly freeze a VCS editable package when it is nested inside another VCS repository. (`3988 <https://github.com/pypa/pip/issues/3988>`_)
- Correctly handle ``%2F`` in URL parameters to avoid accidentally unescape them
into ``/``. (`6446 <https://github.com/pypa/pip/issues/6446>`_)
- Reject VCS URLs with an empty revision. (`7402 <https://github.com/pypa/pip/issues/7402>`_)
- Warn when an invalid URL is passed with ``--index-url`` (`7430 <https://github.com/pypa/pip/issues/7430>`_)
- Use better mechanism for handling temporary files, when recording metadata
about installed files (RECORD) and the installer (INSTALLER). (`7699 <https://github.com/pypa/pip/issues/7699>`_)
- Correctly detect global site-packages availability of virtual environments
created by PyPA’s virtualenv>=20.0. (`7718 <https://github.com/pypa/pip/issues/7718>`_)
- Remove current directory from ``sys.path`` when invoked as ``python -m pip <command>`` (`7731 <https://github.com/pypa/pip/issues/7731>`_)
- Stop failing uninstallation, when trying to remove non-existent files. (`7856 <https://github.com/pypa/pip/issues/7856>`_)
- Prevent an infinite recursion with ``pip wheel`` when ``$TMPDIR`` is within the source directory. (`7872 <https://github.com/pypa/pip/issues/7872>`_)
- Significantly speedup ``pip list --outdated`` by parallelizing index interaction. (`7962 <https://github.com/pypa/pip/issues/7962>`_)
- Improve Windows compatibility when detecting writability in folder. (`8013 <https://github.com/pypa/pip/issues/8013>`_)

Vendored Libraries
------------------

- Update semi-supported debundling script to reflect that appdirs is vendored.
- Add ResolveLib as a vendored dependency.
- Upgrade certifi to 2020.04.05.1
- Upgrade contextlib2 to 0.6.0.post1
- Upgrade distro to 1.5.0.
- Upgrade idna to 2.9.
- Upgrade msgpack to 1.0.0.
- Upgrade packaging to 20.3.
- Upgrade pep517 to 0.8.2.
- Upgrade pyparsing to 2.4.7.
- Remove pytoml as a vendored dependency.
- Upgrade requests to 2.23.0.
- Add toml as a vendored dependency.
- Upgrade urllib3 to 1.25.8.

Improved Documentation
----------------------

- Emphasize that VCS URLs using git, git+git and git+http are insecure due to
lack of authentication and encryption (`1983 <https://github.com/pypa/pip/issues/1983>`_)
- Clarify the usage of --no-binary command. (`3191 <https://github.com/pypa/pip/issues/3191>`_)
- Clarify the usage of freeze command in the example of Using pip in your program (`7008 <https://github.com/pypa/pip/issues/7008>`_)
- Add a "Copyright" page. (`7767 <https://github.com/pypa/pip/issues/7767>`_)
- Added example of defining multiple values for options which support them (`7803 <https://github.com/pypa/pip/issues/7803>`_)

20.0.2

Not secure
===================

Bug Fixes
---------

- Fix a regression in generation of compatibility tags. (`7626 <https://github.com/pypa/pip/issues/7626>`_)

Vendored Libraries
------------------

- Upgrade packaging to 20.1

20.0.1

Not secure
===================

Bug Fixes
---------

- Rename an internal module, to avoid ImportErrors due to improper uninstallation. (`7621 <https://github.com/pypa/pip/issues/7621>`_)

20.0

Not secure
=================

Process
-------

- Switch to a dedicated CLI tool for vendoring dependencies.

Deprecations and Removals
-------------------------

- Remove wheel tag calculation from pip and use ``packaging.tags``. This
should provide more tags ordered better than in prior releases. (`6908 <https://github.com/pypa/pip/issues/6908>`_)
- Deprecate setup.py-based builds that do not generate an ``.egg-info`` directory. (`6998 <https://github.com/pypa/pip/issues/6998>`_)
- The pip>=20 wheel cache is not retro-compatible with previous versions. Until
pip 21.0, pip will continue to take advantage of existing legacy cache
entries. (`7296 <https://github.com/pypa/pip/issues/7296>`_)
- Deprecate undocumented ``--skip-requirements-regex`` option. (`7297 <https://github.com/pypa/pip/issues/7297>`_)
- Deprecate passing install-location-related options via ``--install-option``. (`7309 <https://github.com/pypa/pip/issues/7309>`_)
- Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384
which only defines it for this platform. (`7327 <https://github.com/pypa/pip/issues/7327>`_)
- Remove interpreter-specific major version tag e.g. ``cp3-none-any``
from consideration. This behavior was not documented strictly, and this
tag in particular is `not useful <https://snarky.ca/the-challenges-in-designing-a-library-for-pep-425/>`_.
Anyone with a use case can create an issue with pypa/packaging. (`7355 <https://github.com/pypa/pip/issues/7355>`_)
- Wheel processing no longer permits wheels containing more than one top-level
.dist-info directory. (`7487 <https://github.com/pypa/pip/issues/7487>`_)
- Support for the ``git+git`` form of VCS requirement is being deprecated and
will be removed in pip 21.0. Switch to ``git+https://`` or
``git+ssh://``. ``git+git://`` also works but its use is discouraged as it is
insecure. (`7543 <https://github.com/pypa/pip/issues/7543>`_)

Features
--------

- Default to doing a user install (as if ``--user`` was passed) when the main
site-packages directory is not writeable and user site-packages are enabled. (`1668 <https://github.com/pypa/pip/issues/1668>`_)
- Warn if a path in PATH starts with tilde during ``pip install``. (`6414 <https://github.com/pypa/pip/issues/6414>`_)
- Cache wheels built from Git requirements that are considered immutable,
because they point to a commit hash. (`6640 <https://github.com/pypa/pip/issues/6640>`_)
- Add option ``--no-python-version-warning`` to silence warnings
related to deprecation of Python versions. (`6673 <https://github.com/pypa/pip/issues/6673>`_)
- Cache wheels that ``pip wheel`` built locally, matching what
``pip install`` does. This particularly helps performance in workflows where
``pip wheel`` is used for `building before installing
<https://pip.pypa.io/en/stable/user_guide/#installing-from-local-packages>`_.
Users desiring the original behavior can use ``pip wheel --no-cache-dir``. (`6852 <https://github.com/pypa/pip/issues/6852>`_)
- Display CA information in ``pip debug``. (`7146 <https://github.com/pypa/pip/issues/7146>`_)
- Show only the filename (instead of full URL), when downloading from PyPI. (`7225 <https://github.com/pypa/pip/issues/7225>`_)
- Suggest a more robust command to upgrade pip itself to avoid confusion when the
current pip command is not available as ``pip``. (`7376 <https://github.com/pypa/pip/issues/7376>`_)
- Define all old pip console script entrypoints to prevent import issues in
stale wrapper scripts. (`7498 <https://github.com/pypa/pip/issues/7498>`_)
- The build step of ``pip wheel`` now builds all wheels to a cache first,
then copies them to the wheel directory all at once.
Before, it built them to a temporary directory and moved
them to the wheel directory one by one. (`7517 <https://github.com/pypa/pip/issues/7517>`_)
- Expand ``~`` prefix to user directory in path options, configs, and
environment variables. Values that may be either URL or path are not
currently supported, to avoid ambiguity:

* ``--find-links``
* ``--constraint``, ``-c``
* ``--requirement``, ``-r``
* ``--editable``, ``-e`` (`980 <https://github.com/pypa/pip/issues/980>`_)

Bug Fixes
---------

- Correctly handle system site-packages, in virtual environments created with venv (PEP 405). (`5702 <https://github.com/pypa/pip/issues/5702>`_, `#7155 <https://github.com/pypa/pip/issues/7155>`_)
- Fix case sensitive comparison of pip freeze when used with -r option. (`5716 <https://github.com/pypa/pip/issues/5716>`_)
- Enforce PEP 508 requirement format in ``pyproject.toml``
``build-system.requires``. (`6410 <https://github.com/pypa/pip/issues/6410>`_)
- Make ``ensure_dir()`` also ignore ``ENOTEMPTY`` as seen on Windows. (`6426 <https://github.com/pypa/pip/issues/6426>`_)
- Fix building packages which specify ``backend-path`` in pyproject.toml. (`6599 <https://github.com/pypa/pip/issues/6599>`_)
- Do not attempt to run ``setup.py clean`` after a ``pep517`` build error,
since a ``setup.py`` may not exist in that case. (`6642 <https://github.com/pypa/pip/issues/6642>`_)
- Fix passwords being visible in the index-url in
"Downloading <url>" message. (`6783 <https://github.com/pypa/pip/issues/6783>`_)
- Change method from shutil.remove to shutil.rmtree in noxfile.py. (`7191 <https://github.com/pypa/pip/issues/7191>`_)
- Skip running tests which require subversion, when svn isn't installed (`7193 <https://github.com/pypa/pip/issues/7193>`_)
- Fix not sending client certificates when using ``--trusted-host``. (`7207 <https://github.com/pypa/pip/issues/7207>`_)
- Make sure ``pip wheel`` never outputs pure python wheels with a
python implementation tag. Better fix/workaround for
`3025 <https://github.com/pypa/pip/issues/3025>`_ by
using a per-implementation wheel cache instead of caching pure python
wheels with an implementation tag in their name. (`7296 <https://github.com/pypa/pip/issues/7296>`_)
- Include ``subdirectory`` URL fragments in cache keys. (`7333 <https://github.com/pypa/pip/issues/7333>`_)
- Fix typo in warning message when any of ``--build-option``, ``--global-option``
and ``--install-option`` is used in requirements.txt (`7340 <https://github.com/pypa/pip/issues/7340>`_)
- Fix the logging of cached HTTP response shown as downloading. (`7393 <https://github.com/pypa/pip/issues/7393>`_)
- Effectively disable the wheel cache when it is not writable, as is the
case with the http cache. (`7488 <https://github.com/pypa/pip/issues/7488>`_)
- Correctly handle relative cache directory provided via --cache-dir. (`7541 <https://github.com/pypa/pip/issues/7541>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.12.5
- Upgrade certifi to 2019.9.11
- Upgrade colorama to 0.4.1
- Upgrade distlib to 0.2.9.post0
- Upgrade ipaddress to 1.0.22
- Update packaging to 20.0.
- Upgrade pkg_resources (via setuptools) to 44.0.0
- Upgrade pyparsing to 2.4.2
- Upgrade six to 1.12.0
- Upgrade urllib3 to 1.25.6

Improved Documentation
----------------------

- Document that "coding: utf-8" is supported in requirements.txt (`7182 <https://github.com/pypa/pip/issues/7182>`_)
- Explain how to get pip's source code in `Getting Started <https://pip.pypa.io/en/stable/development/getting-started/>`_ (`#7197 <https://github.com/pypa/pip/issues/7197>`_)
- Describe how basic authentication credentials in URLs work. (`7201 <https://github.com/pypa/pip/issues/7201>`_)
- Add more clear installation instructions (`7222 <https://github.com/pypa/pip/issues/7222>`_)
- Fix documentation links for index options (`7347 <https://github.com/pypa/pip/issues/7347>`_)
- Better document the requirements file format (`7385 <https://github.com/pypa/pip/issues/7385>`_)

19.3.1

Not secure
===================

Features
--------

- Document Python 3.8 support. (`7219 <https://github.com/pypa/pip/issues/7219>`_)

Bug Fixes
---------

- Fix bug that prevented installation of PEP 517 packages without ``setup.py``. (`6606 <https://github.com/pypa/pip/issues/6606>`_)

Page 10 of 25

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.