Pip

Latest version: v24.0

Safety actively analyzes 638466 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 19 of 25

1.5.3

Not secure
==================

- **DEPRECATION** ``pip install --build`` and ``pip install --no-clean`` are now
deprecated. (906)
- Fixed being unable to download directly from wheel paths/urls, and when wheel
downloads did occur using requirement specifiers, dependencies weren't
downloaded. (1112, 1527)
- ``pip wheel`` was not downloading wheels that already existed. (1320, 1524)
- ``pip install --download`` was failing using local ``--find-links``.
(1111, 1524)
- Workaround for Python bug https://bugs.python.org/issue20053. (#1544)
- Don't pass a unicode __file__ to setup.py on Python 2.x. (1583)
- Verify that the Wheel version is compatible with this pip. (1569)

1.5.2

Not secure
==================

- Upgraded the vendored ``pkg_resources`` and ``_markerlib`` to setuptools 2.1.
- Fixed an error that prevented accessing PyPI when pyopenssl, ndg-httpsclient,
and pyasn1 are installed.
- Fixed an issue that caused trailing comments to be incorrectly included as
part of the URL in a requirements file.

1.5.1

Not secure
==================

- pip now only requires setuptools (any setuptools, not a certain version) when
installing distributions from src (i.e. not from wheel). (1434)
- `get-pip.py` now installs setuptools, when it's not already installed. (1475)
- Don't decode downloaded files that have a ``Content-Encoding`` header. (1435)
- Fix to correctly parse wheel filenames with single digit versions. (1445)
- If `--allow-unverified` is used assume it also means `--allow-external`.
(1457)

1.5

Not secure
================

- **BACKWARD INCOMPATIBLE** pip no longer supports the ``--use-mirrors``,
``-M``, and ``--mirrors`` flags. The mirroring support has been removed. In
order to use a mirror specify it as the primary index with ``-i`` or
``--index-url``, or as an additional index with ``--extra-index-url``.
(1098, CVE-2013-5123)
- **BACKWARD INCOMPATIBLE** pip no longer will scrape insecure external urls by
default nor will it install externally hosted files by default. Users may opt
into installing externally hosted or insecure files or urls using
``--allow-external PROJECT`` and ``--allow-unverified PROJECT``. (1055)
- **BACKWARD INCOMPATIBLE** pip no longer respects dependency links by default.
Users may opt into respecting them again using ``--process-dependency-links``.
- **DEPRECATION** ``pip install --no-install`` and ``pip install
--no-download`` are now formally deprecated. See 906 for discussion on
possible alternatives, or lack thereof, in future releases.
- **DEPRECATION** ``pip zip`` and ``pip unzip`` are now formally deprecated.
- pip will now install Mac OSX platform wheels from PyPI. (:pull:`1278`)
- pip now generates the appropriate platform-specific console scripts when
installing wheels. (1251)
- pip now confirms a wheel is supported when installing directly from a path or
url. (1315)
- ``--ignore-installed`` now behaves again as designed, after it was
unintentionally broke in v0.8.3 when fixing 14. (1097, 1352)
- Fixed a bug where global scripts were being removed when uninstalling --user
installed packages. (1353)
- ``--user`` wasn't being respected when installing scripts from wheels.
(1163, 1176)
- Assume '_' means '-' in versions from wheel filenames. (1150, 1158)
- Error when using --log with a failed install. (219, 1205)
- Fixed logging being buffered and choppy in Python 3. (1131)
- Don't ignore --timeout. (70, 1202)
- Fixed an error when setting PIP_EXISTS_ACTION. (772, 1201)
- Added colors to the logging output in order to draw attention to important
warnings and errors. (1109)
- Added warnings when using an insecure index, find-link, or dependency link.
(1121)
- Added support for installing packages from a subdirectory using the
``subdirectory`` editable option. (1082)
- Fixed "TypeError: bad operand type for unary" in some cases when installing
wheels using --find-links. (1192, 1218)
- Archive contents are now written based on system defaults and umask (i.e.
permissions are not preserved), except that regular files with any execute
permissions have the equivalent of "chmod +x" applied after being written.
(1133, 317, 1146)
- PreviousBuildDirError now returns a non-zero exit code and prevents the
previous build dir from being cleaned in all cases. (1162)
- Renamed --allow-insecure to --allow-unverified, however the old name will
continue to work for a period of time. (1257)
- Fixed an error when installing local projects with symlinks in Python 3.
(1006, 1311)
- The previously hidden ``--log-file`` option, is now shown as a general option.
(1316)

1.4.1

Not secure
==================

- **New Signing Key** Release 1.4.1 is using a different key than normal with
fingerprint: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
- Fixed issues with installing from pybundle files. (1116)
- Fixed error when sysconfig module throws an exception. (1095)
- Don't ignore already installed pre-releases. (1076)
- Fixes related to upgrading setuptools. (1092)
- Fixes so that --download works with wheel archives. (1113)
- Fixes related to recognizing and cleaning global build dirs. (1080)

1.4

Not secure
================

- **BACKWARD INCOMPATIBLE** pip now only installs stable versions by default,
and offers a new ``--pre`` option to also find pre-release and development
versions. (834)
- **BACKWARD INCOMPATIBLE** Dropped support for Python 2.5. The minimum
supported Python version for pip 1.4 is Python 2.6.
- Added support for installing and building wheel archives. Thanks Daniel Holth,
Marcus Smith, Paul Moore, and Michele Lacchia (845)
- Applied security patch to pip's ssl support related to certificate DNS
wildcard matching (https://bugs.python.org/issue17980).
- To satisfy pip's setuptools requirement, pip now recommends setuptools>=0.8,
not distribute. setuptools and distribute are now merged into one project
called 'setuptools'. (1003)
- pip will now warn when installing a file that is either hosted externally to
the index or cannot be verified with a hash. In the future pip will default
to not installing them and will require the flags --allow-external NAME, and
--allow-insecure NAME respectively. (985)
- If an already-downloaded or cached file has a bad hash, re-download it rather
than erroring out. (963)
- ``pip bundle`` and support for installing from pybundle files is now
considered deprecated and will be removed in pip v1.5.
- Fix a number of issues related to cleaning up and not reusing build
directories. (413, 709, 634, 602, 939, 865, 948)
- Added a User Agent so that pip is identifiable in logs. (901)
- Added ssl and --user support to get-pip.py. Thanks Gabriel de Perthuis.
(895)
- Fixed the proxy support, which was broken in pip 1.3.x (840)
- Fixed pip failing when server does not send content-type header. Thanks
Hugo Lopes Tavares and Kelsey Hightower. (32, 872)
- "Vendorized" distlib as pip.vendor.distlib (https://distlib.readthedocs.io/).
- Fixed git VCS backend with git 1.8.3. (967)

Page 19 of 25

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.