Bump pip from 24.3.1 to 25.0 #8682

dependabot · 2025-01-27T16:39:00Z

Bumps pip from 24.3.1 to 25.0.

Changelog

25.0 (2025-01-26)

Deprecations and Removals

Deprecate the no-python-version-warning flag as it has long done nothing since Python 2 support was removed in pip 21.0. ([#13154](https://github.com/pypa/pip/issues/13154) <https://github.com/pypa/pip/issues/13154>_)

Features

Prefer to display :pep:639 License-Expression in pip show if metadata version is at least 2.4. ([#13112](https://github.com/pypa/pip/issues/13112) <https://github.com/pypa/pip/issues/13112>_)

Support :pep:639 License-Expression and License-File metadata fields in JSON output. pip inspect and pip install --report now emit license_expression and license_file fields in the metadata object, if the corresponding fields are present in the installed METADATA file. ([#13134](https://github.com/pypa/pip/issues/13134) <https://github.com/pypa/pip/issues/13134>_)

Files in the network cache will inherit the read/write permissions of pip's cache directory (in addition to the current user retaining read/write access). This enables a single cache to be shared among multiple users. ([#11012](https://github.com/pypa/pip/issues/11012) <https://github.com/pypa/pip/issues/11012>_)

Return the size, along with the number, of files cleared on pip cache purge and pip cache remove ([#12176](https://github.com/pypa/pip/issues/12176) <https://github.com/pypa/pip/issues/12176>_)

Cache python-requires checks while filtering potential installation candidates. ([#13128](https://github.com/pypa/pip/issues/13128) <https://github.com/pypa/pip/issues/13128>_)

Optimize package collection by avoiding unnecessary URL parsing and other processing. ([#13132](https://github.com/pypa/pip/issues/13132) <https://github.com/pypa/pip/issues/13132>_)

Bug Fixes

Reorder the encoding detection when decoding a requirements file, relying on UTF-8 over the locale encoding by default, matching the documented behaviour. ([#12771](https://github.com/pypa/pip/issues/12771) <https://github.com/pypa/pip/issues/12771>_)

The pip version self check is disabled on EXTERNALLY-MANAGED environments. ([#11820](https://github.com/pypa/pip/issues/11820) <https://github.com/pypa/pip/issues/11820>_)

Fix a security bug allowing a specially crafted wheel to execute code during installation. ([#13079](https://github.com/pypa/pip/issues/13079) <https://github.com/pypa/pip/issues/13079>_)

The inclusion of packaging 24.2 changes how pre-release specifiers with < and > behave. Including a pre-release version with these specifiers now implies accepting pre-releases (e.g., <2.0dev can include 1.0rc1). To avoid implying pre-releases, avoid specifying them (e.g., use <2.0). The exception is !=, which never implies pre-releases. ([#13163](https://github.com/pypa/pip/issues/13163) <https://github.com/pypa/pip/issues/13163>_)

The --cert and --client-cert command-line options are now respected while installing build dependencies. Consequently, the private _PIP_STANDALONE_CERT environment variable is no longer used. ([#5502](https://github.com/pypa/pip/issues/5502) <https://github.com/pypa/pip/issues/5502>_)

The --proxy command-line option is now respected while installing build dependencies. ([#6018](https://github.com/pypa/pip/issues/6018) <https://github.com/pypa/pip/issues/6018>_)

Vendored Libraries

Upgrade CacheControl to 0.14.1

Upgrade idna to 3.10

Upgrade msgpack to 1.1.0

Upgrade packaging to 24.2

... (truncated)

Commits

f47b587 Bump for release
74a7f33 Update AUTHORS.txt
a008888 Merge pull request #13171 from pypa/dependabot/github_actions/github-actions-...
d265fb7 Merge pull request #13174 from ichard26/changelog
d35384e Copyedit news entries before 25.0
adc4f99 Reorder requirements file decoding (#12795)
40c4214 Bump pypa/gh-action-pypi-publish in the github-actions group
6b0fb90 Merge pull request #13048 from sbidoul/trusted-publisher-sbi
c7fb1e1 Merge pull request #13145 from befeleme/pip-show-pep639
41c807c Show License-Expression if present in package metadata
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pip](https://github.com/pypa/pip) from 24.3.1 to 25.0. - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@24.3.1...25.0) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

inmantaci · 2025-01-27T18:01:06Z

Processing this pull request

Bumps [pip](https://github.com/pypa/pip) from 24.3.1 to 25.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>25.0 (2025-01-26)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate the <code>no-python-version-warning</code> flag as it has long done nothing since Python 2 support was removed in pip 21.0. (<code>[#13154](pypa/pip#13154) <https://github.com/pypa/pip/issues/13154></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Prefer to display :pep:<code>639</code> <code>License-Expression</code> in <code>pip show</code> if metadata version is at least 2.4. (<code>[#13112](pypa/pip#13112) <https://github.com/pypa/pip/issues/13112></code>_)</li> <li>Support :pep:<code>639</code> <code>License-Expression</code> and <code>License-File</code> metadata fields in JSON output. <code>pip inspect</code> and <code>pip install --report</code> now emit <code>license_expression</code> and <code>license_file</code> fields in the <code>metadata</code> object, if the corresponding fields are present in the installed <code>METADATA</code> file. (<code>[#13134](pypa/pip#13134) <https://github.com/pypa/pip/issues/13134></code>_)</li> <li>Files in the network cache will inherit the read/write permissions of pip's cache directory (in addition to the current user retaining read/write access). This enables a single cache to be shared among multiple users. (<code>[#11012](pypa/pip#11012) <https://github.com/pypa/pip/issues/11012></code>_)</li> <li>Return the size, along with the number, of files cleared on <code>pip cache purge</code> and <code>pip cache remove</code> (<code>[#12176](pypa/pip#12176) <https://github.com/pypa/pip/issues/12176></code>_)</li> <li>Cache <code>python-requires</code> checks while filtering potential installation candidates. (<code>[#13128](pypa/pip#13128) <https://github.com/pypa/pip/issues/13128></code>_)</li> <li>Optimize package collection by avoiding unnecessary URL parsing and other processing. (<code>[#13132](pypa/pip#13132) <https://github.com/pypa/pip/issues/13132></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Reorder the encoding detection when decoding a requirements file, relying on UTF-8 over the locale encoding by default, matching the documented behaviour. (<code>[#12771](pypa/pip#12771) <https://github.com/pypa/pip/issues/12771></code>_)</li> <li>The pip version self check is disabled on <code>EXTERNALLY-MANAGED</code> environments. (<code>[#11820](pypa/pip#11820) <https://github.com/pypa/pip/issues/11820></code>_)</li> <li>Fix a security bug allowing a specially crafted wheel to execute code during installation. (<code>[#13079](pypa/pip#13079) <https://github.com/pypa/pip/issues/13079></code>_)</li> <li>The inclusion of <code>packaging</code> 24.2 changes how pre-release specifiers with <code><</code> and <code>></code> behave. Including a pre-release version with these specifiers now implies accepting pre-releases (e.g., <code><2.0dev</code> can include <code>1.0rc1</code>). To avoid implying pre-releases, avoid specifying them (e.g., use <code><2.0</code>). The exception is <code>!=</code>, which never implies pre-releases. (<code>[#13163](pypa/pip#13163) <https://github.com/pypa/pip/issues/13163></code>_)</li> <li>The <code>--cert</code> and <code>--client-cert</code> command-line options are now respected while installing build dependencies. Consequently, the private <code>_PIP_STANDALONE_CERT</code> environment variable is no longer used. (<code>[#5502](pypa/pip#5502) <https://github.com/pypa/pip/issues/5502></code>_)</li> <li>The <code>--proxy</code> command-line option is now respected while installing build dependencies. (<code>[#6018](pypa/pip#6018) <https://github.com/pypa/pip/issues/6018></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade CacheControl to 0.14.1</li> <li>Upgrade idna to 3.10</li> <li>Upgrade msgpack to 1.1.0</li> <li>Upgrade packaging to 24.2</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/f47b5874299848c688336ae7c8d69534013fe2c6"><code>f47b587</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/74a7f3335338712af44be95241daf62e756f27ec"><code>74a7f33</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/a008888a5b123e8d5e4667bdd21e4b42f3fc034c"><code>a008888</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/13171">#13171</a> from pypa/dependabot/github_actions/github-actions-...</li> <li><a href="https://github.com/pypa/pip/commit/d265fb7427c3ba4dbd10e4874a0bebea2e59350e"><code>d265fb7</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/13174">#13174</a> from ichard26/changelog</li> <li><a href="https://github.com/pypa/pip/commit/d35384ef91cb372a5223a01f980e5deb84c8fde5"><code>d35384e</code></a> Copyedit news entries before 25.0</li> <li><a href="https://github.com/pypa/pip/commit/adc4f9951b51b6a06e405b8960dd0c5f030f0fb5"><code>adc4f99</code></a> Reorder requirements file decoding (<a href="https://github.com/pypa/pip/issues/12795">#12795</a>)</li> <li><a href="https://github.com/pypa/pip/commit/40c42149a51a63e8416c047d5ddc0da1694387ea"><code>40c4214</code></a> Bump pypa/gh-action-pypi-publish in the github-actions group</li> <li><a href="https://github.com/pypa/pip/commit/6b0fb904803fbb3ce7da63966b2759407b6cd9dc"><code>6b0fb90</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/13048">#13048</a> from sbidoul/trusted-publisher-sbi</li> <li><a href="https://github.com/pypa/pip/commit/c7fb1e13ec79b1b48481ac245144c2b368e64f7d"><code>c7fb1e1</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/13145">#13145</a> from befeleme/pip-show-pep639</li> <li><a href="https://github.com/pypa/pip/commit/41c807c5938d269703c6ff2644fb3b7dc88eda4e"><code>41c807c</code></a> Show License-Expression if present in package metadata</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.3.1...25.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.3.1&new-version=25.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

inmantaci · 2025-01-27T18:01:16Z

Merged into branches master, iso8 in 9377313

dependabot · 2025-01-27T18:01:18Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot bot added the dependencies Pull requests that update a dependency file label Jan 27, 2025

inmantaci approved these changes Jan 27, 2025

View reviewed changes

Added change entry

37b3945

inmantaci added the merge-tool-ready This ticket is ready to be merged in label Jan 27, 2025

inmantaci mentioned this pull request Jan 27, 2025

Bump pip from 24.3.1 to 25.0 (#8682) #8683

Closed

inmantaci closed this Jan 27, 2025

inmantaci deleted the dependabot/pip/master/pip-25.0 branch January 27, 2025 18:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump pip from 24.3.1 to 25.0 #8682

Bump pip from 24.3.1 to 25.0 #8682

Uh oh!

dependabot bot commented on behalf of github Jan 27, 2025

Uh oh!

inmantaci commented Jan 27, 2025

Uh oh!

inmantaci commented Jan 27, 2025

Uh oh!

dependabot bot commented on behalf of github Jan 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Bump pip from 24.3.1 to 25.0 #8682

Bump pip from 24.3.1 to 25.0 #8682

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 27, 2025

25.0 (2025-01-26)

Deprecations and Removals

Features

Bug Fixes

Vendored Libraries

Uh oh!

inmantaci commented Jan 27, 2025

Uh oh!

inmantaci commented Jan 27, 2025

Uh oh!

dependabot bot commented on behalf of github Jan 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants