Pip

Latest version: v24.1

Safety actively analyzes 640549 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 20 of 25

1.4

Not secure
================

- **BACKWARD INCOMPATIBLE** pip now only installs stable versions by default,
and offers a new ``--pre`` option to also find pre-release and development
versions. (834)
- **BACKWARD INCOMPATIBLE** Dropped support for Python 2.5. The minimum
supported Python version for pip 1.4 is Python 2.6.
- Added support for installing and building wheel archives. Thanks Daniel Holth,
Marcus Smith, Paul Moore, and Michele Lacchia (845)
- Applied security patch to pip's ssl support related to certificate DNS
wildcard matching (https://bugs.python.org/issue17980).
- To satisfy pip's setuptools requirement, pip now recommends setuptools>=0.8,
not distribute. setuptools and distribute are now merged into one project
called 'setuptools'. (1003)
- pip will now warn when installing a file that is either hosted externally to
the index or cannot be verified with a hash. In the future pip will default
to not installing them and will require the flags --allow-external NAME, and
--allow-insecure NAME respectively. (985)
- If an already-downloaded or cached file has a bad hash, re-download it rather
than erroring out. (963)
- ``pip bundle`` and support for installing from pybundle files is now
considered deprecated and will be removed in pip v1.5.
- Fix a number of issues related to cleaning up and not reusing build
directories. (413, 709, 634, 602, 939, 865, 948)
- Added a User Agent so that pip is identifiable in logs. (901)
- Added ssl and --user support to get-pip.py. Thanks Gabriel de Perthuis.
(895)
- Fixed the proxy support, which was broken in pip 1.3.x (840)
- Fixed pip failing when server does not send content-type header. Thanks
Hugo Lopes Tavares and Kelsey Hightower. (32, 872)
- "Vendorized" distlib as pip.vendor.distlib (https://distlib.readthedocs.io/).
- Fixed git VCS backend with git 1.8.3. (967)

1.3.1

Not secure
==================

- Fixed a major backward incompatible change of parsing URLs to externally
hosted packages that got accidentally included in 1.3.

1.3

Not secure
================

- SSL Cert Verification; Make https the default for PyPI access. Thanks
James Cleveland, Giovanni Bajo, Marcus Smith and many others.
(791, CVE-2013-1629)
- Added "pip list" for listing installed packages and the latest version
available. Thanks Rafael Caricio, Miguel Araujo, Dmitry Gladkov. (752)
- Fixed security issues with pip's use of temp build directories.
Thanks David (d1b) and Thomas Guttler. (780, CVE-2013-1888)
- Improvements to sphinx docs and cli help. (773)
- Fixed an issue dealing with macOS temp dir handling, which was causing global
NumPy installs to fail. (707, 768)
- Split help output into general vs command-specific option groups.
Thanks Georgi Valkov. (744, 721)
- Fixed dependency resolution when installing from archives with uppercase
project names. (724)
- Fixed problem where re-installs always occurred when using file:// find-links.
(683, 702)
- "pip install -v" now shows the full download url, not just the archive name.
Thanks Marc Abramowitz (687)
- Fix to prevent unnecessary PyPI redirects. Thanks Alex Gronholm (695)
- Fixed an install failure under Python 3 when the same version of a package is
found under 2 different URLs. Thanks Paul Moore (670, 671)
- Fix git submodule recursive updates. Thanks Roey Berman. (674)
- Explicitly ignore rel='download' links while looking for html pages. Thanks
Maxime R. (677)
- --user/--upgrade install options now work together. Thanks 'eevee' for
discovering the problem. (705)
- Added check in ``install --download`` to prevent re-downloading if the target
file already exists. Thanks Andrey Bulgakov. (669)
- Added support for bare paths (including relative paths) as argument to
`--find-links`. Thanks Paul Moore for draft patch.
- Added support for --no-index in requirements files.
- Added "pip show" command to get information about an installed package.
Thanks Kelsey Hightower and Rafael Caricio. (131)
- Added `--root` option for "pip install" to specify root directory. Behaves
like the same option in distutils but also plays nice with pip's egg-info.
Thanks Przemek Wrzos. (253, 693)

1.2.1

Not secure
==================

- Fixed a regression introduced in 1.2 about raising an exception when
not finding any files to uninstall in the current environment. Thanks for
the fix, Marcus Smith.

1.2

Not secure
================

- **Dropped support for Python 2.4** The minimum supported Python version is
now Python 2.5.
- Fixed PyPI mirror support being broken on some DNS responses. Thanks
philwhin. (605)
- Fixed pip uninstall removing files it didn't install. Thanks pjdelport.
(355)
- Fixed a number of issues related to improving support for the user
installation scheme. Thanks Marcus Smith. (493, 494, 440, 573)
- Write failure log to temp file if default location is not writable. Thanks
andreigc.
- Pull in submodules for git editable checkouts. Thanks Hsiaoming Yang and
Markus Hametner. (289, 421)
- Use a temporary directory as the default build location outside of a
virtualenv. Thanks Ben Rosser. (339, 381)
- Added support for specifying extras with local editables. Thanks Nick
Stenning.
- Added ``--egg`` flag to request egg-style rather than flat installation.
Thanks Kamal Bin Mustafa. (3)
- Prevent e.g. ``gmpy2-2.0.tar.gz`` from matching a request to
``pip install gmpy``; sdist filename must begin with full project name
followed by a dash. Thanks casevh for the report. (510)
- Allow package URLS to have querystrings. Thanks W. Trevor King. (504)
- pip freeze now falls back to non-editable format rather than blowing up if it
can't determine the origin repository of an editable. Thanks Rory McCann.
(58)
- Added a `__main__.py` file to enable `python -m pip` on Python versions
that support it. Thanks Alexey Luchko.
- Fixed upgrading from VCS url of project that does exist on index. Thanks
Andrew Knapp for the report. (487)
- Fix upgrade from VCS url of project with no distribution on index.
Thanks Andrew Knapp for the report. (486)
- Add a clearer error message on a malformed VCS url. Thanks Thomas Fenzl.
(427)
- Added support for using any of the built in guaranteed algorithms in
``hashlib`` as a checksum hash.
- Raise an exception if current working directory can't be found or accessed.
(321)
- Removed special casing of the user directory and use the Python default
instead. (82)
- Only warn about version conflicts if there is actually one. This re-enables
using ``==dev`` in requirements files. (436)
- Moved tests to be run on Travis CI: https://travis-ci.org/pypa/pip
- Added a better help formatter.

1.1

Not secure
================

- Don't crash when a package's setup.py emits UTF-8 and then fails. Thanks
Marc Abramowitz. (326)
- Added ``--target`` option for installing directly to arbitrary directory.
Thanks Stavros Korokithakis.
- Added support for authentication with Subversion repositories. Thanks
Qiangning Hong.
- ``--download`` now downloads dependencies as well. Thanks Qiangning Hong.
(315)
- Errors from subprocesses will display the current working directory.
Thanks Antti Kaihola.
- Fixed compatibility with Subversion 1.7. Thanks Qiangning Hong. Note that
setuptools remains incompatible with Subversion 1.7; to get the benefits of
pip's support you must use Distribute rather than setuptools. (369)
- Ignore py2app-generated macOS mpkg zip files in finder. Thanks Rene Dudfield.
(57)
- Log to ~/Library/Logs/ by default on macOS framework installs. Thanks
Dan Callahan for report and patch. (182)
- Understand version tags without minor version ("py3") in sdist filenames.
Thanks Stuart Andrews for report and Olivier Girardot for patch. (310)
- pip now supports optionally installing setuptools "extras" dependencies; e.g.
"pip install Paste[openid]". Thanks Matt Maker and Olivier Girardot. (7)
- freeze no longer borks on requirements files with --index-url or --find-links.
Thanks Herbert Pfennig. (391)
- Handle symlinks properly. Thanks lebedov for the patch. (288)
- pip install -U no longer reinstalls the same versions of packages. Thanks
iguananaut for the pull request. (49)
- Removed ``-E``/``--environment`` option and ``PIP_RESPECT_VIRTUALENV``;
both use a restart-in-venv mechanism that's broken, and neither one is
useful since every virtualenv now has pip inside it. Replace ``pip -E
path/to/venv install Foo`` with ``virtualenv path/to/venv &&
path/to/venv/pip install Foo``.
- Fixed pip throwing an IndexError when it calls `scraped_rel_links`. (366)
- pip search should set and return a useful shell status code. (22)
- Added global ``--exists-action`` command line option to easier script file
exists conflicts, e.g. from editable requirements from VCS that have a
changed repo URL. (351, 365)

Page 20 of 25

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.