Pip

Latest version: v24.3.1

Safety actively analyzes 682309 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 19 of 26

6.0.2

Not secure
==================

- Fix an issue where the output saying that a package was installed would
report the old version instead of the new version during an upgrade.
- Fix left over merge conflict markers in the documentation.
- Document the backwards incompatible PEP 440 change in the 6.0.0 changelog.

6.0.1

Not secure
==================

- Fix executable file permissions for Wheel files when using the distutils
scripts option.
- Fix a confusing error message when an exceptions was raised at certain
points in pip's execution.
- Fix the missing list of versions when a version cannot be found that matches
the specifiers.
- Add a warning about the possibly problematic use of > when the given
specifier doesn't match anything.
- Fix an issue where installing from a directory would not copy over certain
directories which were being excluded, however some build systems rely on
them.

6.0

Not secure
================

- **PROCESS** Version numbers are now simply ``X.Y`` where the leading ``1``
has been dropped.
- **BACKWARD INCOMPATIBLE** Dropped support for Python 3.1.
- **BACKWARD INCOMPATIBLE** Removed the bundle support which was deprecated in
1.4. (1806)
- **BACKWARD INCOMPATIBLE** File lists generated by `pip show -f` are now
rooted at the location reported by show, rather than one (unstated)
directory lower. (1933)
- **BACKWARD INCOMPATIBLE** The ability to install files over the FTP protocol
was accidentally lost in pip 1.5 and it has now been decided to not restore
that ability.
- **BACKWARD INCOMPATIBLE** PEP 440 is now fully implemented, this means that
in some cases versions will sort differently or version specifiers will be
interpreted differently than previously. The common cases should all function
similarly to before.
- **DEPRECATION** ``pip install --download-cache`` and
``pip wheel --download-cache`` command line flags have been deprecated and
the functionality removed. Since pip now automatically configures and uses
it's internal HTTP cache which supplants the ``--download-cache`` the
existing options have been made non functional but will still be accepted
until their removal in pip v8.0. For more information please see
https://pip.pypa.io/en/stable/reference/pip_install.html#caching
- **DEPRECATION** ``pip install --build`` and ``pip install --no-clean`` are now
*NOT* deprecated. This reverses the deprecation that occurred in v1.5.3.
(906)
- **DEPRECATION** Implicitly accessing URLs which point to an origin which is
not a secure origin, instead requiring an opt-in for each host using the new
``--trusted-host`` flag (``pip install --trusted-host example.com foo``).
- Allow the new ``--trusted-host`` flag to also disable TLS verification for
a particular hostname.
- Added a ``--user`` flag to ``pip freeze`` and ``pip list`` to check the
user site directory only.
- Silence byte compile errors when installation succeed. (1873)
- Added a virtualenv-specific configuration file. (1364)
- Added site-wide configuration files. (1978)
- Added an automatic check to warn if there is an updated version of pip
available. (2049)
- `wsgiref` and `argparse` (for >py26) are now excluded from `pip list` and
`pip freeze`. (1606, 1369)
- Add ``--client-cert`` option for SSL client certificates. (1424)
- `pip show --files` was broken for wheel installs. (1635, 1484)
- install_lib should take precedence when reading distutils config.
(1642, 1641)
- Send `Accept-Encoding: identity` when downloading files in an attempt to
convince some servers who double compress the downloaded file to stop doing
so. (1688)
- Stop breaking when given pip commands in uppercase (1559, 1725)
- pip no longer adds duplicate logging consumers, so it won't create duplicate
output when being called multiple times. (1618, 1723)
- `pip wheel` now returns an error code if any wheels fail to build. (1769)
- `pip wheel` wasn't building wheels for dependencies of editable requirements.
(1775)
- Allow the use of ``--no-use-wheel`` within a requirements file. (1859)
- Attempt to locate system TLS certificates to use instead of the included
CA Bundle if possible. (1680, 1866)
- Allow use of Zip64 extension in Wheels and other zip files. (1319, 1868)
- Properly handle an index or --find-links target which has a <base> without a
href attribute. (1101, 1869)
- Properly handle extras when a project is installed via Wheel. (1885, 1896)
- Added support to respect proxies in ``pip search``.
(1180, 932, 1104, 1902)
- `pip install --download` works with vcs links. (798, 1060, 1926)
- Disabled warning about insecure index host when using localhost. Based off of
Guy Rozendorn's work in 1718. (1456, 1967)
- Allow the use of OS standard user configuration files instead of ones simply
based around ``$HOME``. (2021)
- When installing directly from wheel paths or urls, previous versions were not
uninstalled. (1825, 804, 1838)
- Detect the location of the ``.egg-info`` directory by looking for any file
located inside of it instead of relying on the record file listing a
directory. (2075, 2076)
- Use a randomized and secure default build directory when possible.
(1964, 1935, 676, 2122, CVE-2014-8991)
- Support environment markers in requirements.txt files. (1433, 2134)
- Automatically retry failed HTTP requests by default. (1444, 2147)
- Handle HTML Encoding better using a method that is more similar to how
browsers handle it. (1100, 1874)
- Reduce the verbosity of the pip command by default. (2175, 2177, 2178)
- Fixed :issue:`2031` - Respect sys.executable on OSX when installing from
Wheels.
- Display the entire URL of the file that is being downloaded when downloading
from a non PyPI repository. (2183)
- Support setuptools style environment markers in a source distribution. (2153)

1.5.6

Not secure
==================

- Upgrade requests to 2.3.0 to fix an issue with proxies on Python 3.4.1.
(1821)

1.5.5

Not secure
==================

- Uninstall issues on debianized pypy, specifically issues with setuptools
upgrades. (1632, 1743)
- Update documentation to point at https://bootstrap.pypa.io/get-pip.py for
bootstrapping pip.
- Update docs to point to https://pip.pypa.io/
- Upgrade the bundled projects (distlib==0.1.8, html5lib==1.0b3, six==1.6.1,
colorama==0.3.1, setuptools==3.4.4).

1.5.4

Not secure
==================

- Correct deprecation warning for ``pip install --build`` to only notify when
the `--build` value is different than the default.

Page 19 of 26

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.