Pip

Latest version: v24.0

Safety actively analyzes 638452 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 7 of 25

21.1.1

Not secure
===================

Deprecations and Removals
-------------------------

- Temporarily set the new "Value for ... does not match" location warnings level
to *DEBUG*, to hide them from casual users. This prepares pip 21.1 for CPython
inclusion, while pip maintainers digest the first intake of location mismatch
issues for the ``distutils``-``sysconfig`` transition. (`9912 <https://github.com/pypa/pip/issues/9912>`_)

Bug Fixes
---------

- This change fixes a bug on Python <=3.6.1 with a Typing feature added in 3.6.2 (`9831 <https://github.com/pypa/pip/issues/9831>`_)
- Fix compatibility between distutils and sysconfig when the project name is unknown outside of a virtual environment. (`9838 <https://github.com/pypa/pip/issues/9838>`_)
- Fix Python 3.6 compatibility when a PEP 517 build requirement itself needs to be
built in an isolated environment. (`9878 <https://github.com/pypa/pip/issues/9878>`_)

21.1

Not secure
=================

Process
-------

- Start installation scheme migration from ``distutils`` to ``sysconfig``. A
warning is implemented to detect differences between the two implementations to
encourage user reports, so we can avoid breakages before they happen.

Features
--------

- Add the ability for the new resolver to process URL constraints. (`8253 <https://github.com/pypa/pip/issues/8253>`_)
- Add a feature ``--use-feature=in-tree-build`` to build local projects in-place
when installing. This is expected to become the default behavior in pip 21.3;
see `Installing from local packages <https://pip.pypa.io/en/stable/user_guide/#installing-from-local-packages>`_
for more information. (`9091 <https://github.com/pypa/pip/issues/9091>`_)
- Bring back the "(from versions: ...)" message, that was shown on resolution failures. (`9139 <https://github.com/pypa/pip/issues/9139>`_)
- Add support for editable installs for project with only setup.cfg files. (`9547 <https://github.com/pypa/pip/issues/9547>`_)
- Improve performance when picking the best file from indexes during ``pip install``. (`9748 <https://github.com/pypa/pip/issues/9748>`_)
- Warn instead of erroring out when doing a PEP 517 build in presence of
``--build-option``. Warn when doing a PEP 517 build in presence of
``--global-option``. (`9774 <https://github.com/pypa/pip/issues/9774>`_)

Bug Fixes
---------

- Fixed ``--target`` to work with ``--editable`` installs. (`4390 <https://github.com/pypa/pip/issues/4390>`_)
- Add a warning, discouraging the usage of pip as root, outside a virtual environment. (`6409 <https://github.com/pypa/pip/issues/6409>`_)
- Ignore ``.dist-info`` directories if the stem is not a valid Python distribution
name, so they don't show up in e.g. ``pip freeze``. (`7269 <https://github.com/pypa/pip/issues/7269>`_)
- Only query the keyring for URLs that actually trigger error 401.
This prevents an unnecessary keyring unlock prompt on every pip install
invocation (even with default index URL which is not password protected). (`8090 <https://github.com/pypa/pip/issues/8090>`_)
- Prevent packages already-installed alongside with pip to be injected into an
isolated build environment during build-time dependency population. (`8214 <https://github.com/pypa/pip/issues/8214>`_)
- Fix ``pip freeze`` permission denied error in order to display an understandable error message and offer solutions. (`8418 <https://github.com/pypa/pip/issues/8418>`_)
- Correctly uninstall script files (from setuptools' ``scripts`` argument), when installed with ``--user``. (`8733 <https://github.com/pypa/pip/issues/8733>`_)
- New resolver: When a requirement is requested both via a direct URL
(``req URL``) and via version specifier with extras (``req[extra]``), the
resolver will now be able to use the URL to correctly resolve the requirement
with extras. (`8785 <https://github.com/pypa/pip/issues/8785>`_)
- New resolver: Show relevant entries from user-supplied constraint files in the
error message to improve debuggability. (`9300 <https://github.com/pypa/pip/issues/9300>`_)
- Avoid parsing version to make the version check more robust against lousily
debundled downstream distributions. (`9348 <https://github.com/pypa/pip/issues/9348>`_)
- ``--user`` is no longer suggested incorrectly when pip fails with a permission
error in a virtual environment. (`9409 <https://github.com/pypa/pip/issues/9409>`_)
- Fix incorrect reporting on ``Requires-Python`` conflicts. (`9541 <https://github.com/pypa/pip/issues/9541>`_)
- Make wheel compatibility tag preferences more important than the build tag (`9565 <https://github.com/pypa/pip/issues/9565>`_)
- Fix pip to work with warnings converted to errors. (`9779 <https://github.com/pypa/pip/issues/9779>`_)
- **SECURITY**: Stop splitting on unicode separators in git references,
which could be maliciously used to install a different revision on the
repository. (`9827 <https://github.com/pypa/pip/issues/9827>`_)

Vendored Libraries
------------------

- Update urllib3 to 1.26.4 to fix CVE-2021-28363
- Remove contextlib2.
- Upgrade idna to 3.1
- Upgrade pep517 to 0.10.0
- Upgrade vendored resolvelib to 0.7.0.
- Upgrade tenacity to 7.0.0

Improved Documentation
----------------------

- Update "setuptools extras" link to match upstream. (`4822829F-6A45-4202-87BA-A80482DF6D4E <https://github.com/pypa/pip/issues/4822829F-6A45-4202-87BA-A80482DF6D4E>`_)
- Improve SSL Certificate Verification docs and ``--cert`` help text. (`6720 <https://github.com/pypa/pip/issues/6720>`_)
- Add a section in the documentation to suggest solutions to the ``pip freeze`` permission denied issue. (`8418 <https://github.com/pypa/pip/issues/8418>`_)
- Add warning about ``--extra-index-url`` and dependency confusion (`9647 <https://github.com/pypa/pip/issues/9647>`_)
- Describe ``--upgrade-strategy`` and direct requirements explicitly; add a brief
example. (`9692 <https://github.com/pypa/pip/issues/9692>`_)

21.0.1

Not secure
===================

Bug Fixes
---------

- commands: debug: Use packaging.version.parse to compare between versions. (`9461 <https://github.com/pypa/pip/issues/9461>`_)
- New resolver: Download and prepare a distribution only at the last possible
moment to avoid unnecessary network access when the same version is already
installed locally. (`9516 <https://github.com/pypa/pip/issues/9516>`_)

Vendored Libraries
------------------

- Upgrade packaging to 20.9

21.0

Not secure
=================

Deprecations and Removals
-------------------------

- Drop support for Python 2. (`6148 <https://github.com/pypa/pip/issues/6148>`_)
- Remove support for legacy wheel cache entries that were created with pip
versions older than 20.0. (`7502 <https://github.com/pypa/pip/issues/7502>`_)
- Remove support for VCS pseudo URLs editable requirements. It was emitting
deprecation warning since version 20.0. (`7554 <https://github.com/pypa/pip/issues/7554>`_)
- Modernise the codebase after Python 2. (`8802 <https://github.com/pypa/pip/issues/8802>`_)
- Drop support for Python 3.5. (`9189 <https://github.com/pypa/pip/issues/9189>`_)
- Remove the VCS export feature that was used only with editable VCS
requirements and had correctness issues. (`9338 <https://github.com/pypa/pip/issues/9338>`_)

Features
--------

- Add ``--ignore-requires-python`` support to pip download. (`1884 <https://github.com/pypa/pip/issues/1884>`_)
- New resolver: Error message shown when a wheel contains inconsistent metadata
is made more helpful by including both values from the file name and internal
metadata. (`9186 <https://github.com/pypa/pip/issues/9186>`_)

Bug Fixes
---------

- Fix a regression that made ``pip wheel`` do a VCS export instead of a VCS clone
for editable requirements. This broke VCS requirements that need the VCS
information to build correctly. (`9273 <https://github.com/pypa/pip/issues/9273>`_)
- Fix ``pip download`` of editable VCS requirements that need VCS information
to build correctly. (`9337 <https://github.com/pypa/pip/issues/9337>`_)

Vendored Libraries
------------------

- Upgrade msgpack to 1.0.2.
- Upgrade requests to 2.25.1.

Improved Documentation
----------------------

- Render the unreleased pip version change notes on the news page in docs. (`9172 <https://github.com/pypa/pip/issues/9172>`_)
- Fix broken email link in docs feedback banners. (`9343 <https://github.com/pypa/pip/issues/9343>`_)

20.3.4

Not secure
===================

Features
--------

- ``pip wheel`` now verifies the built wheel contains valid metadata, and can be
installed by a subsequent ``pip install``. This can be disabled with
``--no-verify``. (`9206 <https://github.com/pypa/pip/issues/9206>`_)
- Improve presentation of XMLRPC errors in pip search. (`9315 <https://github.com/pypa/pip/issues/9315>`_)

Bug Fixes
---------

- Fixed hanging VCS subprocess calls when the VCS outputs a large amount of data
on stderr. Restored logging of VCS errors that was inadvertently removed in pip
20.2. (`8876 <https://github.com/pypa/pip/issues/8876>`_)
- Fix error when an existing incompatibility is unable to be applied to a backtracked state. (`9180 <https://github.com/pypa/pip/issues/9180>`_)
- New resolver: Discard a faulty distribution, instead of quitting outright.
This implementation is taken from 20.2.2, with a fix that always makes the
resolver iterate through candidates from indexes lazily, to avoid downloading
candidates we do not need. (`9203 <https://github.com/pypa/pip/issues/9203>`_)
- New resolver: Discard a source distribution if it fails to generate metadata,
instead of quitting outright. This implementation is taken from 20.2.2, with a
fix that always makes the resolver iterate through candidates from indexes
lazily, to avoid downloading candidates we do not need. (`9246 <https://github.com/pypa/pip/issues/9246>`_)

Vendored Libraries
------------------

- Upgrade resolvelib to 0.5.4.

20.3.3

Not secure
===================

Bug Fixes
---------

- Revert "Skip candidate not providing valid metadata", as that caused pip to be overeager about downloading from the package index. (`9264 <https://github.com/pypa/pip/issues/9264>`_)

Page 7 of 25

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.