Pip

Latest version: v24.1

Safety actively analyzes 640580 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 11 of 25

19.3

Not secure
=================

Deprecations and Removals
-------------------------

- Remove undocumented support for un-prefixed URL requirements pointing
to SVN repositories. Users relying on this can get the original behavior
by prefixing their URL with ``svn+`` (which is backwards-compatible). (`7037 <https://github.com/pypa/pip/issues/7037>`_)
- Remove the deprecated ``--venv`` option from ``pip config``. (`7163 <https://github.com/pypa/pip/issues/7163>`_)

Features
--------

- Print a better error message when ``--no-binary`` or ``--only-binary`` is given
an argument starting with ``-``. (`3191 <https://github.com/pypa/pip/issues/3191>`_)
- Make ``pip show`` warn about packages not found. (`6858 <https://github.com/pypa/pip/issues/6858>`_)
- Support including a port number in ``--trusted-host`` for both HTTP and HTTPS. (`6886 <https://github.com/pypa/pip/issues/6886>`_)
- Redact single-part login credentials from URLs in log messages. (`6891 <https://github.com/pypa/pip/issues/6891>`_)
- Implement manylinux2014 platform tag support. manylinux2014 is the successor
to manylinux2010. It allows carefully compiled binary wheels to be installed
on compatible Linux platforms. The manylinux2014 platform tag definition can
be found in `PEP599 <https://www.python.org/dev/peps/pep-0599/>`_. (`#7102 <https://github.com/pypa/pip/issues/7102>`_)

Bug Fixes
---------

- Abort installation if any archive contains a file which would be placed
outside the extraction location. (`3907 <https://github.com/pypa/pip/issues/3907>`_)
- pip's CLI completion code no longer prints a Traceback if it is interrupted. (`3942 <https://github.com/pypa/pip/issues/3942>`_)
- Correct inconsistency related to the ``hg+file`` scheme. (`4358 <https://github.com/pypa/pip/issues/4358>`_)
- Fix ``rmtree_errorhandler`` to skip non-existing directories. (`4910 <https://github.com/pypa/pip/issues/4910>`_)
- Ignore errors copying socket files for local source installs (in Python 3). (`5306 <https://github.com/pypa/pip/issues/5306>`_)
- Fix requirement line parser to correctly handle PEP 440 requirements with a URL
pointing to an archive file. (`6202 <https://github.com/pypa/pip/issues/6202>`_)
- The ``pip-wheel-metadata`` directory does not need to persist between invocations of pip, use a temporary directory instead of the current ``setup.py`` directory. (`6213 <https://github.com/pypa/pip/issues/6213>`_)
- Fix ``--trusted-host`` processing under HTTPS to trust any port number used
with the host. (`6705 <https://github.com/pypa/pip/issues/6705>`_)
- Switch to new ``distlib`` wheel script template. This should be functionally
equivalent for end users. (`6763 <https://github.com/pypa/pip/issues/6763>`_)
- Skip copying .tox and .nox directories to temporary build directories (`6770 <https://github.com/pypa/pip/issues/6770>`_)
- Fix handling of tokens (single part credentials) in URLs. (`6795 <https://github.com/pypa/pip/issues/6795>`_)
- Fix a regression that caused ``~`` expansion not to occur in ``--find-links``
paths. (`6804 <https://github.com/pypa/pip/issues/6804>`_)
- Fix bypassed pip upgrade warning on Windows. (`6841 <https://github.com/pypa/pip/issues/6841>`_)
- Fix 'm' flag erroneously being appended to ABI tag in Python 3.8 on platforms that do not provide SOABI (`6885 <https://github.com/pypa/pip/issues/6885>`_)
- Hide security-sensitive strings like passwords in log messages related to
version control system (aka VCS) command invocations. (`6890 <https://github.com/pypa/pip/issues/6890>`_)
- Correctly uninstall symlinks that were installed in a virtualenv,
by tools such as ``flit install --symlink``. (`6892 <https://github.com/pypa/pip/issues/6892>`_)
- Don't fail installation using pip.exe on Windows when pip wouldn't be upgraded. (`6924 <https://github.com/pypa/pip/issues/6924>`_)
- Use canonical distribution names when computing ``Required-By`` in ``pip show``. (`6947 <https://github.com/pypa/pip/issues/6947>`_)
- Don't use hardlinks for locking selfcheck state file. (`6954 <https://github.com/pypa/pip/issues/6954>`_)
- Ignore "require_virtualenv" in ``pip config`` (`6991 <https://github.com/pypa/pip/issues/6991>`_)
- Fix ``pip freeze`` not showing correct entry for mercurial packages that use subdirectories. (`7071 <https://github.com/pypa/pip/issues/7071>`_)
- Fix a crash when ``sys.stdin`` is set to ``None``, such as on AWS Lambda. (`7118 <https://github.com/pypa/pip/issues/7118>`_, `#7119 <https://github.com/pypa/pip/issues/7119>`_)

Vendored Libraries
------------------

- Upgrade certifi to 2019.9.11
- Add contextlib2 0.6.0 as a vendored dependency.
- Remove Lockfile as a vendored dependency.
- Upgrade msgpack to 0.6.2
- Upgrade packaging to 19.2
- Upgrade pep517 to 0.7.0
- Upgrade pyparsing to 2.4.2
- Upgrade pytoml to 0.1.21
- Upgrade setuptools to 41.4.0
- Upgrade urllib3 to 1.25.6

Improved Documentation
----------------------

- Document caveats for UNC paths in uninstall and add .pth unit tests. (`6516 <https://github.com/pypa/pip/issues/6516>`_)
- Add architectural overview documentation. (`6637 <https://github.com/pypa/pip/issues/6637>`_)
- Document that ``--ignore-installed`` is dangerous. (`6794 <https://github.com/pypa/pip/issues/6794>`_)

19.2.3

Not secure
===================

Bug Fixes
---------

- Fix 'm' flag erroneously being appended to ABI tag in Python 3.8 on platforms that do not provide SOABI (`6885 <https://github.com/pypa/pip/issues/6885>`_)

19.2.2

Not secure
===================

Bug Fixes
---------

- Fix handling of tokens (single part credentials) in URLs. (`6795 <https://github.com/pypa/pip/issues/6795>`_)
- Fix a regression that caused ``~`` expansion not to occur in ``--find-links``
paths. (`6804 <https://github.com/pypa/pip/issues/6804>`_)

19.2.1

Not secure
===================

Bug Fixes
---------

- Fix a ``NoneType`` ``AttributeError`` when evaluating hashes and no hashes
are provided. (`6772 <https://github.com/pypa/pip/issues/6772>`_)

19.2

Not secure
=================

Deprecations and Removals
-------------------------

- Drop support for EOL Python 3.4. (`6685 <https://github.com/pypa/pip/issues/6685>`_)
- Improve deprecation messages to include the version in which the functionality will be removed. (`6549 <https://github.com/pypa/pip/issues/6549>`_)

Features
--------

- Credentials will now be loaded using `keyring` when installed. (`5948 <https://github.com/pypa/pip/issues/5948>`_)
- Fully support using ``--trusted-host`` inside requirements files. (`3799 <https://github.com/pypa/pip/issues/3799>`_)
- Update timestamps in pip's ``--log`` file to include milliseconds. (`6587 <https://github.com/pypa/pip/issues/6587>`_)
- Respect whether a file has been marked as "yanked" from a simple repository
(see `PEP 592 <https://www.python.org/dev/peps/pep-0592/>`__ for details). (`#6633 <https://github.com/pypa/pip/issues/6633>`_)
- When choosing candidates to install, prefer candidates with a hash matching
one of the user-provided hashes. (`5874 <https://github.com/pypa/pip/issues/5874>`_)
- Improve the error message when ``METADATA`` or ``PKG-INFO`` is None when
accessing metadata. (`5082 <https://github.com/pypa/pip/issues/5082>`_)
- Add a new command ``pip debug`` that can display e.g. the list of compatible
tags for the current Python. (`6638 <https://github.com/pypa/pip/issues/6638>`_)
- Display hint on installing with --pre when search results include pre-release versions. (`5169 <https://github.com/pypa/pip/issues/5169>`_)
- Report to Warehouse that pip is running under CI if the ``PIP_IS_CI`` environment variable is set. (`5499 <https://github.com/pypa/pip/issues/5499>`_)
- Allow ``--python-version`` to be passed as a dotted version string (e.g.
``3.7`` or ``3.7.3``). (`6585 <https://github.com/pypa/pip/issues/6585>`_)
- Log the final filename and SHA256 of a ``.whl`` file when done building a
wheel. (`5908 <https://github.com/pypa/pip/issues/5908>`_)
- Include the wheel's tags in the log message explanation when a candidate
wheel link is found incompatible. (`6121 <https://github.com/pypa/pip/issues/6121>`_)
- Add a ``--path`` argument to ``pip freeze`` to support ``--target``
installations. (`6404 <https://github.com/pypa/pip/issues/6404>`_)
- Add a ``--path`` argument to ``pip list`` to support ``--target``
installations. (`6551 <https://github.com/pypa/pip/issues/6551>`_)

Bug Fixes
---------

- Set ``sys.argv[0]`` to the underlying ``setup.py`` when invoking ``setup.py``
via the setuptools shim so setuptools doesn't think the path is ``-c``. (`1890 <https://github.com/pypa/pip/issues/1890>`_)
- Update ``pip download`` to respect the given ``--python-version`` when checking
``"Requires-Python"``. (`5369 <https://github.com/pypa/pip/issues/5369>`_)
- Respect ``--global-option`` and ``--install-option`` when installing from
a version control url (e.g. ``git``). (`5518 <https://github.com/pypa/pip/issues/5518>`_)
- Make the "ascii" progress bar really be "ascii" and not Unicode. (`5671 <https://github.com/pypa/pip/issues/5671>`_)
- Fail elegantly when trying to set an incorrectly formatted key in config. (`5963 <https://github.com/pypa/pip/issues/5963>`_)
- Prevent DistutilsOptionError when prefix is indicated in the global environment and `--target` is used. (`6008 <https://github.com/pypa/pip/issues/6008>`_)
- Fix ``pip install`` to respect ``--ignore-requires-python`` when evaluating
links. (`6371 <https://github.com/pypa/pip/issues/6371>`_)
- Fix a debug log message when freezing an editable, non-version controlled
requirement. (`6383 <https://github.com/pypa/pip/issues/6383>`_)
- Extend to Subversion 1.8+ the behavior of calling Subversion in
interactive mode when pip is run interactively. (`6386 <https://github.com/pypa/pip/issues/6386>`_)
- Prevent ``pip install <url>`` from permitting directory traversal if e.g.
a malicious server sends a ``Content-Disposition`` header with a filename
containing ``../`` or ``..\\``. (`6413 <https://github.com/pypa/pip/issues/6413>`_)
- Hide passwords in output when using ``--find-links``. (`6489 <https://github.com/pypa/pip/issues/6489>`_)
- Include more details in the log message if ``pip freeze`` can't generate a
requirement string for a particular distribution. (`6513 <https://github.com/pypa/pip/issues/6513>`_)
- Add the line number and file location to the error message when reading an
invalid requirements file in certain situations. (`6527 <https://github.com/pypa/pip/issues/6527>`_)
- Prefer ``os.confstr`` to ``ctypes`` when extracting glibc version info. (`6543 <https://github.com/pypa/pip/issues/6543>`_, `#6675 <https://github.com/pypa/pip/issues/6675>`_)
- Improve error message printed when an invalid editable requirement is provided. (`6648 <https://github.com/pypa/pip/issues/6648>`_)
- Improve error message formatting when a command errors out in a subprocess. (`6651 <https://github.com/pypa/pip/issues/6651>`_)

Vendored Libraries
------------------

- Upgrade certifi to 2019.6.16
- Upgrade distlib to 0.2.9.post0
- Upgrade msgpack to 0.6.1
- Upgrade requests to 2.22.0
- Upgrade urllib3 to 1.25.3
- Patch vendored html5lib, to prefer using `collections.abc` where possible.

Improved Documentation
----------------------

- Document how Python 2.7 support will be maintained. (`6726 <https://github.com/pypa/pip/issues/6726>`_)
- Upgrade Sphinx version used to build documentation. (`6471 <https://github.com/pypa/pip/issues/6471>`_)
- Fix generation of subcommand manpages. (`6724 <https://github.com/pypa/pip/issues/6724>`_)
- Mention that pip can install from git refs. (`6512 <https://github.com/pypa/pip/issues/6512>`_)
- Replace a failing example of pip installs with extras with a working one. (`4733 <https://github.com/pypa/pip/issues/4733>`_)

19.1.1

Not secure
===================

Features
--------

- Restore ``pyproject.toml`` handling to how it was with pip 19.0.3 to prevent
the need to add ``--no-use-pep517`` when installing in editable mode. (`6434 <https://github.com/pypa/pip/issues/6434>`_)

Bug Fixes
---------

- Fix a regression that caused `` to be quoted in pypiserver links.
This interfered with parsing the revision string from VCS urls. (`6440 <https://github.com/pypa/pip/issues/6440>`_)

Page 11 of 25

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.