Pip

Latest version: v24.3.1

Safety actively analyzes 682309 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 16 of 26

8.0.2

Not secure
==================

- Stop attempting to trust the system CA trust store because it's extremely
common for them to be broken, often in incompatible ways. (3416)

8.0.1

Not secure
==================

- Detect CAPaths in addition to CAFiles on platforms that provide them.
- Installing argparse or wsgiref will no longer warn or error - pip will allow
the installation even though it may be useless (since the installed thing
will be shadowed by the standard library).
- Upgrading a distutils installed item that is installed outside of a virtual
environment, while inside of a virtual environment will no longer warn or
error.
- Fix a bug where pre-releases were showing up in ``pip list --outdated``
without the ``--pre`` flag.
- Switch the SOABI emulation from using RuntimeWarnings to debug logging.
- Rollback the removal of the ability to uninstall distutils installed items
until a future date.

8.0.0

Not secure
==================

- **BACKWARD INCOMPATIBLE** Drop support for Python 3.2.
- **BACKWARD INCOMPATIBLE** Remove the ability to find any files other than the
ones directly linked from the index or find-links pages.
- **BACKWARD INCOMPATIBLE** Remove the ``--download-cache`` which had been
deprecated and no-op'd in 6.0.
- **BACKWARD INCOMPATIBLE** Remove the ``--log-explicit-levels`` which had been
deprecated in 6.0.
- **BACKWARD INCOMPATIBLE** Change pip wheel --wheel-dir default path from
<cwd>/wheelhouse to <cwd>.
- Deprecate and no-op the ``--allow-external``, ``--allow-all-external``, and
``--allow-unverified`` functionality that was added as part of PEP 438. With
changes made to the repository protocol made in PEP 470, these options are no
longer functional.
- Allow ``--trusted-host`` within a requirements file. (2822)
- Allow ``--process-dependency-links`` within a requirements file. (1274)
- Allow ``--pre`` within a requirements file. (1273)
- Allow repository URLs with secure transports to count as trusted. (E.g.,
"git+ssh" is okay.) (2811)
- Implement a top-level ``pip download`` command and deprecate
``pip install --download``.
- When uninstalling, look for the case of paths containing symlinked
directories (3141, 3154)
- When installing, if building a wheel fails, clear up the build directory
before falling back to a source install. (3047)
- Fix user directory expansion when ``HOME=/``. Workaround for Python bug
https://bugs.python.org/issue14768. (#2996)
- Correct reporting of requirements file line numbers. (3009, 3125)
- Fixed Exception(IOError) for ``pip freeze`` and ``pip list`` commands with
subversion >= 1.7. (1062, 3346)
- Provide a spinner showing that progress is happening when installing or
building a package via ``setup.py``. This will alleviate concerns that
projects with unusually long build times have with pip appearing to stall.
- Include the functionality of ``peep`` into pip, allowing hashes to be baked
into a requirements file and ensuring that the packages being downloaded
match one of those hashes. This is an additional, opt-in security measure
that, when used, removes the need to trust the repository.
- Fix a bug causing pip to not select a wheel compiled against an OSX SDK later
than what Python itself was compiled against when running on a newer version
of OSX.
- Add a new ``--prefix`` option for ``pip install`` that supports wheels and
sdists. (3252)
- Fixed issue regarding wheel building with setup.py using a different encoding
than the system. (2042)
- Drop PasteScript specific egg_info hack. (3270)
- Allow combination of pip list options --editable with --outdated/--uptodate.
(933)
- Gives VCS implementations control over saying whether a project is under
their control. (3258)
- Git detection now works when ``setup.py`` is not at the Git repo root
and when ``package_dir`` is used, so ``pip freeze`` works in more
cases. (3258)
- Correctly freeze Git develop packages in presence of the &subdirectory
option (3258)
- The detection of editable packages now relies on the presence of ``.egg-link``
instead of looking for a VCS, so ``pip list -e`` is more reliable. (3258)
- Add the ``--prefix`` flag to ``pip install`` which allows specifying a root
prefix to use instead of ``sys.prefix``. (3252)
- Allow duplicate specifications in the case that only the extras differ, and
union all specified extras together. (3198)
- Fix the detection of the user's current platform on OSX when determining the
OSX SDK version. (3232)
- Prevent the automatically built wheels from mistakenly being used across
multiple versions of Python when they may not be correctly configured for
that by making the wheel specific to a specific version of Python and
specific interpreter. (3225)
- Emulate the SOABI support in wheels from Python 2.x on Python 2.x as closely
as we can with the information available within the interpreter. (3075)
- Don't roundtrip to the network when git is pinned to a specific commit hash
and that hash already exists locally. (3066)
- Prefer wheels built against a newer SDK to wheels built against an older SDK
on OSX. (3163)
- Show entry points for projects installed via wheel. (3122)
- Improve message when an unexisting path is passed to --find-links option.
(2968)
- pip freeze does not add the VCS branch/tag name in the egg=... fragment
anymore. (3312)
- Warn on installation of editable if the provided egg=name part does not
match the metadata produced by `setup.py egg_info`. (3143)
- Add support for .xz files for python versions supporting them (>= 3.3). (722)

7.1.2

Not secure
==================

- Don't raise an error if pip is not installed when checking for the latest pip
version.

7.1.1

Not secure
==================

- Check that the wheel cache directory is writable before we attempt to write
cached files to them.
- Move the pip version check until *after* any installs have been performed,
thus removing the extraneous warning when upgrading pip.
- Added debug logging when using a cached wheel.
- Respect platlib by default on platforms that have it separated from purelib.
- Upgrade packaging to 15.3.
- Normalize post-release spellings for rev/r prefixes.
- Upgrade distlib to 0.2.1.
- Updated launchers to decode shebangs using UTF-8. This allows non-ASCII
pathnames to be correctly handled.
- Ensured that the executable written to shebangs is normcased.
- Changed ScriptMaker to work better under Jython.
- Upgrade ipaddress to 1.0.13.

7.1.0

Not secure
==================

- Allow constraining versions globally without having to know exactly what will
be installed by the pip command. (2731)
- Accept --no-binary and --only-binary via pip.conf. (2867)
- Allow ``--allow-all-external`` within a requirements file.
- Fixed an issue where ``--user`` could not be used when ``--prefix`` was used
in a distutils configuration file.
- Fixed an issue where the SOABI tags were not correctly being generated on
Python 3.5.
- Fixed an issue where we were advising windows users to upgrade by directly
executing pip, when that would always fail on Windows.
- Allow ``~`` to be expanded within a cache directory in all situations.

Page 16 of 26

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.