-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Truststore by default #11647
Truststore by default #11647
Conversation
813bc8f
to
61d3293
Compare
067a6e3
to
a77fbdc
Compare
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
7c11bb6
to
e321885
Compare
src/pip/_internal/cli/req_command.py
Outdated
# Truststore doesn't work on macOS versions earlier than 10.8 | ||
except OSError: | ||
logger.warning("Disabling truststore since OS version isn't supported") | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to do better detection? OSError seems too coarse.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right now truststore
raises an OSError
when the macOS APIs that we need aren't available (ie macOS 10.8). Maybe we can change that error to ImportError
instead? cc @davisagli
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sethmlarson Or maybe a custom subclass of ImportError or OSError? It'd be nice to be able to distinguish between an expected condition (not supported) and an ImportError due to something being messed up with the installation of the vendored package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So @davisagli and I discussed this and unfortunately because this has to happen at import time we couldn't go the route of a custom exception, so we decided to standardize on raising an ImportError
whenever the module can't support the current platform/Python version (currently only macOS 10.7 and earlier raise this error).
Hope this works for you, let me know your thoughts.
@uranusjr Thanks for the review, just to double-check, I didn't add any new tests but because this is the new default behavior I figured this would be okay? Let me know if there is any work to be done outside this PR to prepare for this change (I'll likely write a blog post, but happy to help elsewhere too!) |
I imagine it may be difficult to test this in any case since the feature relies on system configuration by nature. I’m tentitively adding this to 23.1 but the RM has a final say. |
This doesn't seem to be following our normal transition policy. In particular, our documentation notes that legacy features enabled by a Furthermore, users who will see a change in behaviour when this gets enabled will have seen no advance warning that it's coming, and will have had no indication that they may need to test or make changes to their certificate handling. My impression is that this is intended to simply add extra ways that a certificate could be treated as valid, so it shouldn't break anything that works right now, but how sure are we of that? People do crazy things... I suspect very few people will have tried the new feature yet, as it requires installing a support module and enabling an opt-in flag. So I'd consider the new functionality mostly "untried" at this point. I know it's hard to get people to test new stuff, but can we not at least do something to publicise the change in advance? Sorry, but I'm going to reject this for 23.1, on the basis that the transition process needs a bit more work, and I don't want that to be rushed just to get the feature into 23.1. I'm open to arguments to reconsider, but they'll need to be based around explanations of how the current approach is safer than I think it is, not around how we can improve the PR (which will be a fine approach, but not for 23.1) |
Thanks for your review and detailed thought process @pfmoore! I agree on your reasoning for not including this in 23.1. I had a few questions on how best to proceed:
Agreed, I'm thinking for 23.1 we could:
Then we can start getting a lot more feedback and hopefully be more confident with this change being purely additive. Do you agree with this approach, and if so I can rapidly create a PR to meet 23.1?
Since this change should be additive for Python 3.10+ compared to Python 3.9 and earlier, do you see it being necessary to have Python 3.9 support removed before Python 3.10+ would always have this new behavior? In my mind, Python 3.9 and earlier wouldn't be dependent on this change moving forward. |
I'm not particularly familiar with the use cases involved here, so I'm not the best person to comment - hopefully @uranusjr can help out. One question I do have - is I don't like the idea of an "always on" warning nagging people to use a new feature that may have no value to them. At least I assume that for a lot of people it will have no value - I've personally never had a problem because pip uses certifi rather than the system store. What are the target users for this feature, in fact? Presumably it's groups with custom indexes whose certificate is in the system store (managed corporately somehow) who are currently using a dedicated certificate file and who could drop it if they used the system store? So they have a bit of management overhead that they'd be glad to get rid of? Conversely, what are the potential failure cases here? How could switching to use the system store cause something to fail that is currently working? Presumably one case would be "certificate expires and corporate are slow updating the system store"? If it's not obvious, I'm not a security specialist, so if these are dumb scenarios, feel free to ignore them and tell me what would be good ones. My concern here is people screaming "you broke my build pipeline" because there was a behaviour change that we hadn't told them about. Those people are typically the same ones who claim that adding an opt-out flag to all of their jobs isn't practical1.
I'll be honest, given that 23.1 is due at the end of this week, this still feels too much like trying to work out a solution under time pressure to me. I'm still inclined to say let's do nothing in 23.1 and get a proper plan in place after 23.1, so that it's ready to go in good time for 23.2 (and 23.3, if it needs a phased approach, as I feel it probably does). Footnotes
|
As there has been no further comments on this, I'm moving it to the 23.2 milestone. |
There's been nothing further on this, and 23.2 is probably under a month away. @sethmlarson do you have any thoughts on how to proceed, or should we consider moving this to 23.3? I'm not (yet...) the RM for 23.3, but I'd be concerned about having this land at the last minute, just before a release. I know we don't do formal betas, but I still think it's better to get large features in earlier in the release cycle rather than later. |
@pfmoore Hey Paul, I agree that trying to get this PR in in it's current state wouldn't be a good idea. Apologies for not getting back to you sooner on this one.
I consider it so, the core functionality (and everything that pip would need) is working and we've received no complaints so far with modest usage. I can throw together a PR that only vendors the project and removes the installation instruction from the documentation if you're still okay with this approach.
In the general case switching from "certifi is trust store" to "system trust store with certifi supplementing" shouldn't have an impact on folks since the same root to leaf chains should be . I'm sure there are ways that users could get in trouble, like if the system trust store could be configured to avoid supplemental CAs or something like that but I'm not familiar with all the configuration options available on Windows and macOS to know what's possible here.
In addition to all the benefits of an OS trust store over a static trust store, this change is part of an effort to put Python more in line with other ecosystems where the system trust store is used instead of a trust store that's distributed+updated+managed "out-of-band" compared to all other software on the system. From the PEP 543 rationale on "why system trust stores":
|
@sethmlarson the 24.2 development period has started. Probably good time to update this PR (at least to pull in the CI fixes). |
(kicking CI... fingers crossed) |
241100e
to
0138f95
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the docs could be even a bit clearer, but otherwise LGTM. Thank you!
|
||
return truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) | ||
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) | ||
ctx.load_verify_locations(certifi.where()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, what's the purpose of this addition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was done to ensure that this change is backwards compatible, so now instead of only using certifi the trust store is the union of certifi and the system trust store.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. I was just confused AFAIU the codebase already falls back to certifi even without this line, but maybe that's not --use-feature=truststore
did. 👍
Windows CI is failing due to flaky tests I introduced earlier. They should be fixed once #12839 is merged. Sorry about the trouble! |
Co-authored-by: Richard Si <sichard26@gmail.com>
0750a8d
to
69874c7
Compare
Oh fun. It obviously doesn't sign commits made on the web UI for others. |
@pradyunsg Looks like the rebase has a passing test suite, ready to merge whenever :) |
Thank you for the patience, and congratulations on the merge @sethmlarson. 🎉 |
…k/test/generated-code (#4584) Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.2 (2024-07-28)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code> when using a setuptools version that does not support :pep:<code>660</code> (setuptools v63 and older). (<code>[#11457](pypa/pip#11457) <https://github.com/pypa/pip/issues/11457></code>_)</li> </ul> <h2>Features</h2> <ul> <li> <p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) <https://github.com/pypa/pip/issues/11054></code>_)</p> </li> <li> <p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi.</p> <p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) <https://github.com/pypa/pip/issues/11647></code>_)</p> </li> <li> <p>Improve discovery performance of installed packages when the <code>importlib.metadata</code> backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) <https://github.com/pypa/pip/issues/12656></code>_)</p> </li> <li> <p>Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) <https://github.com/pypa/pip/issues/12663></code>_)</p> </li> <li> <p>Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) <https://github.com/pypa/pip/issues/12664></code>_)</p> </li> <li> <p>Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) <https://github.com/pypa/pip/issues/12683></code>_)</p> </li> <li> <p>Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) <https://github.com/pypa/pip/issues/12712></code>_)</p> </li> <li> <p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>. <code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code> hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) <https://github.com/pypa/pip/issues/12728></code>_)</p> </li> <li> <p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) <https://github.com/pypa/pip/issues/12842></code>_)</p> </li> <li> <p>Improve package download and install performance.</p> <p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) <https://github.com/pypa/pip/issues/12810></code>_)</p> </li> <li> <p>Improve pip install performance.</p> <p>Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) <https://github.com/pypa/pip/issues/12803></code>_)</p> </li> </ul> <h2>Bug Fixes</h2> <ul> <li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) <https://github.com/pypa/pip/issues/11045></code>_)</li> <li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) <https://github.com/pypa/pip/issues/12216></code>_)</li> <li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) <https://github.com/pypa/pip/issues/12680></code>_)</li> <li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) <https://github.com/pypa/pip/issues/12716></code>_)</li> <li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) <https://github.com/pypa/pip/issues/12751></code>_)</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li> <li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li> <li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li> <li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li> <li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li> <li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li> <li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li> <li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
…s/@jsii/python-runtime (#4588) Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.2 (2024-07-28)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code> when using a setuptools version that does not support :pep:<code>660</code> (setuptools v63 and older). (<code>[#11457](pypa/pip#11457) <https://github.com/pypa/pip/issues/11457></code>_)</li> </ul> <h2>Features</h2> <ul> <li> <p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) <https://github.com/pypa/pip/issues/11054></code>_)</p> </li> <li> <p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi.</p> <p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) <https://github.com/pypa/pip/issues/11647></code>_)</p> </li> <li> <p>Improve discovery performance of installed packages when the <code>importlib.metadata</code> backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) <https://github.com/pypa/pip/issues/12656></code>_)</p> </li> <li> <p>Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) <https://github.com/pypa/pip/issues/12663></code>_)</p> </li> <li> <p>Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) <https://github.com/pypa/pip/issues/12664></code>_)</p> </li> <li> <p>Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) <https://github.com/pypa/pip/issues/12683></code>_)</p> </li> <li> <p>Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) <https://github.com/pypa/pip/issues/12712></code>_)</p> </li> <li> <p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>. <code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code> hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) <https://github.com/pypa/pip/issues/12728></code>_)</p> </li> <li> <p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) <https://github.com/pypa/pip/issues/12842></code>_)</p> </li> <li> <p>Improve package download and install performance.</p> <p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) <https://github.com/pypa/pip/issues/12810></code>_)</p> </li> <li> <p>Improve pip install performance.</p> <p>Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) <https://github.com/pypa/pip/issues/12803></code>_)</p> </li> </ul> <h2>Bug Fixes</h2> <ul> <li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) <https://github.com/pypa/pip/issues/11045></code>_)</li> <li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) <https://github.com/pypa/pip/issues/12216></code>_)</li> <li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) <https://github.com/pypa/pip/issues/12680></code>_)</li> <li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) <https://github.com/pypa/pip/issues/12716></code>_)</li> <li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) <https://github.com/pypa/pip/issues/12751></code>_)</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li> <li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li> <li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li> <li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li> <li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li> <li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li> <li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li> <li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1...24.2">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.2 (2024-07-28)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code> when using a setuptools version that does not support :pep:<code>660</code> (setuptools v63 and older). (<code>[#11457](pypa/pip#11457) <https://github.com/pypa/pip/issues/11457></code>_)</li> </ul> <h2>Features</h2> <ul> <li> <p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) <https://github.com/pypa/pip/issues/11054></code>_)</p> </li> <li> <p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi.</p> <p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) <https://github.com/pypa/pip/issues/11647></code>_)</p> </li> <li> <p>Improve discovery performance of installed packages when the <code>importlib.metadata</code> backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) <https://github.com/pypa/pip/issues/12656></code>_)</p> </li> <li> <p>Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) <https://github.com/pypa/pip/issues/12663></code>_)</p> </li> <li> <p>Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) <https://github.com/pypa/pip/issues/12664></code>_)</p> </li> <li> <p>Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) <https://github.com/pypa/pip/issues/12683></code>_)</p> </li> <li> <p>Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) <https://github.com/pypa/pip/issues/12712></code>_)</p> </li> <li> <p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>. <code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code> hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) <https://github.com/pypa/pip/issues/12728></code>_)</p> </li> <li> <p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) <https://github.com/pypa/pip/issues/12842></code>_)</p> </li> <li> <p>Improve package download and install performance.</p> <p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) <https://github.com/pypa/pip/issues/12810></code>_)</p> </li> <li> <p>Improve pip install performance.</p> <p>Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) <https://github.com/pypa/pip/issues/12803></code>_)</p> </li> </ul> <h2>Bug Fixes</h2> <ul> <li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) <https://github.com/pypa/pip/issues/11045></code>_)</li> <li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) <https://github.com/pypa/pip/issues/12216></code>_)</li> <li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) <https://github.com/pypa/pip/issues/12680></code>_)</li> <li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) <https://github.com/pypa/pip/issues/12716></code>_)</li> <li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) <https://github.com/pypa/pip/issues/12751></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li> <li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li> <li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li> <li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li> <li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li> <li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li> <li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li> <li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.2 (2024-07-28)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code> when using a setuptools version that does not support :pep:<code>660</code> (setuptools v63 and older). (<code>[#11457](pypa/pip#11457) <https://github.com/pypa/pip/issues/11457></code>_)</li> </ul> <h2>Features</h2> <ul> <li> <p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) <https://github.com/pypa/pip/issues/11054></code>_)</p> </li> <li> <p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi.</p> <p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) <https://github.com/pypa/pip/issues/11647></code>_)</p> </li> <li> <p>Improve discovery performance of installed packages when the <code>importlib.metadata</code> backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) <https://github.com/pypa/pip/issues/12656></code>_)</p> </li> <li> <p>Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) <https://github.com/pypa/pip/issues/12663></code>_)</p> </li> <li> <p>Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) <https://github.com/pypa/pip/issues/12664></code>_)</p> </li> <li> <p>Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) <https://github.com/pypa/pip/issues/12683></code>_)</p> </li> <li> <p>Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) <https://github.com/pypa/pip/issues/12712></code>_)</p> </li> <li> <p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>. <code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code> hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) <https://github.com/pypa/pip/issues/12728></code>_)</p> </li> <li> <p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) <https://github.com/pypa/pip/issues/12842></code>_)</p> </li> <li> <p>Improve package download and install performance.</p> <p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) <https://github.com/pypa/pip/issues/12810></code>_)</p> </li> <li> <p>Improve pip install performance.</p> <p>Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) <https://github.com/pypa/pip/issues/12803></code>_)</p> </li> </ul> <h2>Bug Fixes</h2> <ul> <li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) <https://github.com/pypa/pip/issues/11045></code>_)</li> <li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) <https://github.com/pypa/pip/issues/12216></code>_)</li> <li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) <https://github.com/pypa/pip/issues/12680></code>_)</li> <li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) <https://github.com/pypa/pip/issues/12716></code>_)</li> <li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) <https://github.com/pypa/pip/issues/12751></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li> <li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li> <li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li> <li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li> <li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li> <li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li> <li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li> <li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>24.2 (2024-07-28)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code> when using a setuptools version that does not support :pep:<code>660</code> (setuptools v63 and older). (<code>[#11457](pypa/pip#11457) <https://github.com/pypa/pip/issues/11457></code>_)</li> </ul> <h2>Features</h2> <ul> <li> <p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) <https://github.com/pypa/pip/issues/11054></code>_)</p> </li> <li> <p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+. Python 3.9 and earlier only use certifi.</p> <p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) <https://github.com/pypa/pip/issues/11647></code>_)</p> </li> <li> <p>Improve discovery performance of installed packages when the <code>importlib.metadata</code> backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) <https://github.com/pypa/pip/issues/12656></code>_)</p> </li> <li> <p>Improve performance when the same requirement string appears many times during resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) <https://github.com/pypa/pip/issues/12663></code>_)</p> </li> <li> <p>Minor performance improvement of finding applicable package candidates by not repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) <https://github.com/pypa/pip/issues/12664></code>_)</p> </li> <li> <p>Disable pip's self version check when invoking a pip subprocess to install PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) <https://github.com/pypa/pip/issues/12683></code>_)</p> </li> <li> <p>Improve dependency resolution performance by caching platform compatibility tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) <https://github.com/pypa/pip/issues/12712></code>_)</p> </li> <li> <p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>. <code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code> hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) <https://github.com/pypa/pip/issues/12728></code>_)</p> </li> <li> <p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) <https://github.com/pypa/pip/issues/12842></code>_)</p> </li> <li> <p>Improve package download and install performance.</p> <p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB). This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) <https://github.com/pypa/pip/issues/12810></code>_)</p> </li> <li> <p>Improve pip install performance.</p> <p>Files are now extracted in 1MB blocks, or in one block matching the file size for smaller files. A decompressor is no longer instantiated when extracting 0 bytes files, it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) <https://github.com/pypa/pip/issues/12803></code>_)</p> </li> </ul> <h2>Bug Fixes</h2> <ul> <li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) <https://github.com/pypa/pip/issues/11045></code>_)</li> <li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) <https://github.com/pypa/pip/issues/12216></code>_)</li> <li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) <https://github.com/pypa/pip/issues/12680></code>_)</li> <li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) <https://github.com/pypa/pip/issues/12716></code>_)</li> <li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) <https://github.com/pypa/pip/issues/12751></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li> <li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li> <li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li> <li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li> <li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li> <li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li> <li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li> <li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Follow up to #11082 which makes truststore w/ certifi the default behavior on Python 3.10+. This behavior can be opted-out of in favor of old behavior with
--use-feature=no-truststore
.TODO:
no-truststore
is specified.cc @davisagli @pradyunsg @uranusjr