-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip parses dist-info-metadata
key from JSON indexes incorrectly
#12042
Comments
This needs an urgent fix, as pip will start failing on any package with a PEP 658 metadata file when PyPI release their fix. @pypa/pip-committers any thoughts? Should we release an emergency bug fix mid-cycle? How do we communicate the issue (as every version of pip back to 22.something will fail)? Is there anything Warehouse could do to mitigate this? I’m happy to release an emergency fix, but I’m nervous about how we test it sufficiently in advance of Warehouse releasing their fix. And I don’t know how we handle the rollout issue. |
On reflection, I was forgetting that PyPI haven't backfilled yet. Assuming they hold off on the backfill until this is fixed, the problem isn't as severe as I'd feared - it will only impact new wheel uploads. As a result, I think that an emergency release with advice that if people hit the issue, they have to upgrade pip should be sufficient. We'll still need to monitor the situation, and PyPI will need to consider how to co-ordinate the backfill with uptake of new pip versions, but we should be OK. |
At the moment warehouse is setting |
Do we know if our current PEP 658 implementation was tested with any real-world (private) index ? Could we use the same to test these fixes? About the rollout I'm not sure either. It looks like the pip fix has to be released before the pypi.org fix, since all installs would otherwise fail without workaround ? In that case it might also be an exceptional situation where we need to release a bug fix for a non current version (it's in since 22.3, actually), since some users may not be in a position to upgrade to 23.1 just yet, due to the recent removal of |
I'm in agreement that backporting and releasing bugfixes for older versions is a good idea (all the way back to when this was released), and something that we should do. I also agree that we should cut emergency-style bugfix releases for this (as is implied). I'll take a look into the fix for this today (I'm at the airport for an 8+ hr flight, and this seems like a good thing to fill my hours + keep me awake), and review our PEP 658 implementation overall. I'm happy to help with the release management work for this as well, although I'm unlikely to have a lot of "definitely free" time next week. |
Ouch, that's bad. But assuming PyPI fix this (the key is optional, so they can fix it) the damage is significantly limited. Enough to not need backports? I don't know. I was only thinking in terms of a 23.1.3 bugfix, which I'm happy to do, but @sbidoul has a point. I don't want to commit myself to doing backports, though, as I'm not sure I'll have the free time for that. |
FWIW, the key has a typo right now. Once that typo is fixed, the pip bug will rear its head, so we should fix pip before that typo and I don't then pypi.org wouldn't need to do anything other than fix that typo. |
That seems reasonable, my only question is, to what extent do we care about users who haven't upgraded their copy of pip - is "there's a fix, you need to upgrade" enough? |
Is there a workaround for users who don't upgrade Pip? Like a command line flag to avoid using the PEP 658 metadata file? Just asking because there will be some noise from users if PyPi stops working even if upgrading to a bugfix is available, many users have strange setups that make things which should be easy not always easy. |
Basically no. That's the big problem here, if an index serves JSON, we'll use it in preference to HTML, and if they provide a The best someone could do is write a service that proxies PyPI but without serving the JSON. But I'm not aware of anyone proposing to do that. |
Just to be clear too, the above is true because of the specifics of this bug, but if pip preferred the HTML version, the same general problem could happen in reverse. There's nothing specific to JSON here other than the bug happens to be in the JSON API on PyPI. This sort of bug is honestly a risk anytime there's some code path that isn't being used, that suddenly starts being used. I think there just isn't a path forward for people who don't upgrade pip, even without the backfill sooner or later most projects are going to end up with releases with |
Hmm, in that case I recommend if anyone has any channels to "get the word out" it be used when Pip posts these bug fixes, I will post it on the Reddit community. |
Footnotes
|
Just because it has been brought up previously to take on mousebender as a dependency for pip, https://github.com/brettcannon/mousebender/blob/main/mousebender/simple.py had this covered for both response types with tests for the HTML side of things (the JSON side is a |
Do we have a gameplan here? What can we do to unblock this? There was mention of a patch release of pip, is that still being considered? |
Unfortunately, the affected pip 23.0.1 has now been backported to today's Python 3.7, 3.8 and 3.9 releases: Prior to this backport those release branches had been running pip 22.0.4, which wasn't affected since it didn't include #11111 (since the feature didn't land until pip 22.3). This presumably means the warehouse fix (pypi/warehouse#13706; which will allow pip and other clients to start benefiting from the feature) is now blocked not only on the pip bug (the bug described in the OP here) being fixed in a new pip bugfix release, but also new CPython releases containing that updated pip too? This might particularly be an issue for Python 3.7, given it reaches EOL at the end of this month, so I'm guessing there may not even be another 3.7 release after today's 3.7.17 release? Short of emergency pip/CPython releases, is there any other way the warehouse fix can be unblocked? Does warehouse have access to the pip version via the user agent, and so could use it to only serve the new |
OOF. size large. The proposal (bifurcation on user agent) is not likely to happen as it will double the number of objects we need to cache in our CDN. |
So we're kind of a crummy spot right now. We have a widely deployed version of pip that contains a bug, that went unnoticed because of a PyPI bug, but we're blocked on fixing that PyPI bug because of the pip bug. The way I see it we have 3 real options here:
I think that (3) is probably our best option here, we could just rename the key from |
I agree that (3) seems like the best option. Even if fixed versions of pip were released via new bugfix releases of CPython 3.7/3.8/3.9/3.10/3.11, there will still be some users who are using non-latest patch releases of CPython who would end up being broken by options 1/2. |
It's possible, but unknown. A potentially mitigating factor: 3.7-3.10 are source-only releases. Only 3.11 (and 3.12) get binary installers.
There are also 3.10 and 3.11 releases due out today (3.12.0b2 already went out). I don't think the builds have started and there might be still be time to adjust the pip version (e.g. rollback) if you're quick? |
True, but I suspect most places are still distributing all supported CPython versions even if they are only source only. For example:
Python 3.10 and 3.11 have been using the affected pip versions for some time (the last release of each was already on pip 22.3.1, and the feature has been in pip since 22.3) - so the situation for those versions wasn't made any worse by today's backport. |
Keep in mind that the bundled pips in these releases are only part of the optional ensurepip module which provides a minimum version of pip that can be used as a bootstrap which can then be used to upgrade to the most current version of pip. Most third-party distributors of Python do not include ensurepip in their packages as they provide their own versions of pip. I don't think we need to do anything urgent about this. |
Well many people do use the bundled version of pip, I think all of the python docker container versions do, Homebrew, etc. That being said, I think this bug has existed dormant in pip since at least 22.3, so we're already well past the point where we can avoid having it "out in the wild", so I don't think today's CPython releases matter much at all for our strategy here, other than it would have been nice to get a fixed version into those releases. |
I think since (3) is probably our best option, I'm going to raise a topic on discuss.p.o. |
Agreed, I think (3) is the best option. I'm inclined to think we should produce a PEP, as there's the possibility that other index providers have started to implement the existing spec - although it's unlikely any have deployed it, as if they had, we'd have got bug reports for pip before now... |
pypi/warehouse#13706 is now an implementation of PEP 714 awaiting pronouncement. |
I'm looking at a pip fix. |
Hmm, there's an important difference between PEP 658 (which specifies how hashes are supplied in the HTML index) and PEP 691 (which specifies the JSON form). The JSON form allows for multiple hashes, which isn't possible in the HTML form. So to correctly process the JSON data will need more than just fixing how the data is parsed, it will need extra functionality to handle multiple hashes. So it's going to be a deeper fix than it looked at first. |
You're not required to use all of them, PEP 691:
So you can just pick one of them to verify if that makes it easier. |
The infrastructure's all there to handle multiple hashes (the I'm also thinking we need some much better tests of this, so we can be sure we've actually fixed the issue before saying it's OK for PyPI to turn on their implementation. Sorry, I shouldn't be trying to pair-program via GitHub issues 😉 |
The good news is we should be able to turn on PyPI's implementation of PEP 714 before pip lands their implementation, since the whole purpose of the strategy in the PEP is that it enables PyPI to land it without breaking the existing logic in pip. Not that much better tests would be a bad thing of course :) but I know how gnarly pip's code base can be to test too, so there's not a huge rush to land it in pip prior to PyPI anymore. |
Hmm, that's a good point and probably worth doing, when we get to that point. It makes me a lot more comfortable that I can check that I haven't made a dumb mistake before we unleash the pip fix on the world 🙂 |
PyPI's implementation of PEP 714 just landed thanks to @ewdurbin :) |
Pip's will land as soon as I can get past the *&^%$£$% RAM disk error on Windows CI. |
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/22.3.1...23.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.3.1&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
…s/@jsii/python-runtime (#4182) Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1...23.2">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
…k/test/generated-code (#4183) Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <ul> <li>Upgrade certifi to 2023.5.7</li> <li>Upgrade platformdirs to 3.8.1</li> <li>Upgrade pygments to 2.15.1</li> <li>Upgrade pyparsing to 3.1.0</li> <li>Upgrade Requests to 2.31.0</li> <li>Upgrade rich to 13.4.2</li> <li>Upgrade setuptools to 68.0.0</li> <li>Updated typing_extensions to 4.6.0</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li> <li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li> <li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li> <li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li> <li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li> <li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li> <li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>23.2.1 (2023-07-22)</h1> <h2>Bug Fixes</h2> <ul> <li>Disable PEP 658 metadata fetching with the legacy resolver. (<code>[#12156](pypa/pip#12156) <https://github.com/pypa/pip/issues/12156></code>_)</li> </ul> <h1>23.2 (2023-07-15)</h1> <h2>Process</h2> <ul> <li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation <https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html></code>__.</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 <https://peps.python.org/pep-0440/></code>_ (<code>[#12063](pypa/pip#12063) <https://github.com/pypa/pip/issues/12063></code>_)</li> <li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code> from the output when running on Python 3.12 or later, where they are not included in a virtual environment by default. Use <code>--exclude</code> if you wish to exclude any of these packages. (<code>[#4256](pypa/pip#4256) <https://github.com/pypa/pip/issues/4256></code>_)</li> </ul> <h2>Features</h2> <ul> <li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) <https://github.com/pypa/pip/issues/12040></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) <https://github.com/pypa/pip/issues/11417></code>_)</li> <li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) <https://github.com/pypa/pip/issues/11847></code>_)</li> <li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) <https://github.com/pypa/pip/issues/11920></code>_)</li> <li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) <https://github.com/pypa/pip/issues/11957></code>_)</li> <li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) <https://github.com/pypa/pip/issues/11985></code>_)</li> <li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) <https://github.com/pypa/pip/issues/12038></code>_)</li> <li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) <https://github.com/pypa/pip/issues/12042></code>_)</li> <li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) <https://github.com/pypa/pip/issues/12067></code>_)</li> <li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) <https://github.com/pypa/pip/issues/12079></code>_)</li> <li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) <https://github.com/pypa/pip/issues/12119></code>_)</li> </ul> <h2>Vendored Libraries</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/4a79e65cb6aac84505ad92d272a29f0c3c1aedce"><code>4a79e65</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/81a0711192c32126a7b11d6898677274cdbc40b5"><code>81a0711</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/1d4674c38950fe01d138a57524799473a2341bb7"><code>1d4674c</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12163">#12163</a> from pfmoore/fix_12156</li> <li><a href="https://github.com/pypa/pip/commit/39aa7ed50e26d77a4a277fa525add44b6f7b3bcd"><code>39aa7ed</code></a> Fix a direct creation of RequirementPreparer in the tests</li> <li><a href="https://github.com/pypa/pip/commit/c12139de9b51da9947d3b36b4f0e2e0c8f467663"><code>c12139d</code></a> Disable PEP 658 for the legacy resolver</li> <li><a href="https://github.com/pypa/pip/commit/593b85f4abd30688648436bb9baca3b8f7b32b51"><code>593b85f</code></a> Use strict optional checking in misc.py (<a href="https://redirect.github.com/pypa/pip/issues/11382">#11382</a>)</li> <li><a href="https://github.com/pypa/pip/commit/b252ad819bc7b998508a7ed8789b60dceddfd603"><code>b252ad8</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12148">#12148</a> from mtreinish/patch-1</li> <li><a href="https://github.com/pypa/pip/commit/26814251c04f459dce8e9502aa42eebdb125ee20"><code>2681425</code></a> Correct typo in 23.2 Changelog Bug Fixes</li> <li><a href="https://github.com/pypa/pip/commit/1d5b12063d8656a2d1c2eebaee83ed530b642e48"><code>1d5b120</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12145">#12145</a> from pfmoore/release/23.2</li> <li><a href="https://github.com/pypa/pip/commit/b6a2670599ded25ffcebc33b5c8b583ccef87f27"><code>b6a2670</code></a> Bump for development</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Description
When using a JSON-based package index, pip expects the
dist-info-metadata
key to always have a string value and does not parse the values described by the spec.PEP 691 states:
pip tries to apply the same string parsing for this value as it does for the
data-dist-info-metadata
value in PEP 658 and does not handle booleans or dicts.This does not work as the entries according to PEP 691 look like:
Expected behavior
pip should handle values with boolean or dict type as described in PEP 691.
pip version
Tested with 23.1.2 and current
main
Python version
3.11
OS
Linux (debian bullseye)
How to Reproduce
To reproduce, we need access to a registry which supports PEP 691 JSON indexes and also PEP 658 metadata.
pypi.org is supposed to support both of these for new file uploads, but there is currently a bug where it provides the metadata under the wrong JSON key (pypi/warehouse#13705), so it is hard to test at the moment. For now, the easiest way to reproduce is to temporarily patch your pip code to use the (incorrect) key to trigger the bug.
Temporarily patch your
pip
code so that it uses the key name provided by pypi.org:Try to install a package.
pip install --no-cache --only-binary :all: pre-commit==3.3.2
to reproduce pip trying to parse a metadata dict as a stringpip install --no-cache --only-binary :all: pre-commit==3.0.0
to reproduce pip trying to parse a booleanfalse
as a stringOutput
Same traceback for
pre-commit==3.0.0
except the last line is insteadCode of Conduct
The text was updated successfully, but these errors were encountered: