Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Truststore by default #11647

Merged
merged 5 commits into from
Jul 19, 2024
Merged

Truststore by default #11647

merged 5 commits into from
Jul 19, 2024

Conversation

sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Dec 8, 2022

Follow up to #11082 which makes truststore w/ certifi the default behavior on Python 3.10+. This behavior can be opted-out of in favor of old behavior with --use-feature=no-truststore.

TODO:

  • Add a NEWS entry
  • Update documentation with the new situation and feature
  • Add more tests? Unsure how I can test that truststore isn't used when no-truststore is specified.

cc @davisagli @pradyunsg @uranusjr

@sethmlarson sethmlarson marked this pull request as draft December 8, 2022 04:42
@sethmlarson sethmlarson force-pushed the truststore-by-default branch 2 times, most recently from 813bc8f to 61d3293 Compare March 4, 2023 16:35
@sethmlarson sethmlarson force-pushed the truststore-by-default branch from 067a6e3 to a77fbdc Compare March 20, 2023 03:13
@pypa-bot
Copy link

pypa-bot commented Apr 1, 2023

Hello!

I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the master branch into this pull request or rebase this pull request against master then it will eligible for code review and hopefully merging!

@pypa-bot pypa-bot added the needs rebase or merge PR has conflicts with current master label Apr 1, 2023
@sethmlarson sethmlarson force-pushed the truststore-by-default branch from 7c11bb6 to e321885 Compare April 1, 2023 18:14
@pypa-bot pypa-bot removed the needs rebase or merge PR has conflicts with current master label Apr 1, 2023
@sethmlarson sethmlarson closed this Apr 1, 2023
@sethmlarson sethmlarson reopened this Apr 1, 2023
@sethmlarson sethmlarson closed this Apr 1, 2023
@sethmlarson sethmlarson reopened this Apr 1, 2023
@sethmlarson sethmlarson marked this pull request as ready for review April 1, 2023 20:08
src/pip/_internal/commands/debug.py Outdated Show resolved Hide resolved
Comment on lines 67 to 70
# Truststore doesn't work on macOS versions earlier than 10.8
except OSError:
logger.warning("Disabling truststore since OS version isn't supported")
return None
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to do better detection? OSError seems too coarse.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now truststore raises an OSError when the macOS APIs that we need aren't available (ie macOS 10.8). Maybe we can change that error to ImportError instead? cc @davisagli

Copy link

@davisagli davisagli Apr 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sethmlarson Or maybe a custom subclass of ImportError or OSError? It'd be nice to be able to distinguish between an expected condition (not supported) and an ImportError due to something being messed up with the installation of the vendored package.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So @davisagli and I discussed this and unfortunately because this has to happen at import time we couldn't go the route of a custom exception, so we decided to standardize on raising an ImportError whenever the module can't support the current platform/Python version (currently only macOS 10.7 and earlier raise this error).

Hope this works for you, let me know your thoughts.

news/truststore.vendor.rst Outdated Show resolved Hide resolved
@sethmlarson
Copy link
Contributor Author

@uranusjr Thanks for the review, just to double-check, I didn't add any new tests but because this is the new default behavior I figured this would be okay? Let me know if there is any work to be done outside this PR to prepare for this change (I'll likely write a blog post, but happy to help elsewhere too!)

@uranusjr
Copy link
Member

I imagine it may be difficult to test this in any case since the feature relies on system configuration by nature. I’m tentitively adding this to 23.1 but the RM has a final say.

@uranusjr uranusjr added this to the 23.1 milestone Apr 10, 2023
@pfmoore
Copy link
Member

pfmoore commented Apr 10, 2023

This doesn't seem to be following our normal transition policy. In particular, our documentation notes that legacy features enabled by a --use-legacy flag "should always include a warning that indicates when the feature is scheduled to be removed". And there isn't one here. (Also, as this is only enabled when Python 3.10 is available, "legacy certificates" won't get removed until we desupport Python 3.9, so it's hardly "legacy" in the sense we normally use the term...)

Furthermore, users who will see a change in behaviour when this gets enabled will have seen no advance warning that it's coming, and will have had no indication that they may need to test or make changes to their certificate handling. My impression is that this is intended to simply add extra ways that a certificate could be treated as valid, so it shouldn't break anything that works right now, but how sure are we of that? People do crazy things...

I suspect very few people will have tried the new feature yet, as it requires installing a support module and enabling an opt-in flag. So I'd consider the new functionality mostly "untried" at this point. I know it's hard to get people to test new stuff, but can we not at least do something to publicise the change in advance?

Sorry, but I'm going to reject this for 23.1, on the basis that the transition process needs a bit more work, and I don't want that to be rushed just to get the feature into 23.1.

I'm open to arguments to reconsider, but they'll need to be based around explanations of how the current approach is safer than I think it is, not around how we can improve the PR (which will be a fine approach, but not for 23.1)

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Apr 10, 2023

Thanks for your review and detailed thought process @pfmoore! I agree on your reasoning for not including this in 23.1. I had a few questions on how best to proceed:

I suspect very few people will have tried the new feature yet, as it requires installing a support module and enabling an opt-in flag. So I'd consider the new functionality mostly "untried" at this point. I know it's hard to get people to test new stuff, but can we not at least do something to publicise the change in advance?

Agreed, I'm thinking for 23.1 we could:

  • Vendor truststore 0.7.0 as we've proposed here to avoid the install
  • Start emitting a warning asking for opt-in for Python 3.10+?

Then we can start getting a lot more feedback and hopefully be more confident with this change being purely additive. Do you agree with this approach, and if so I can rapidly create a PR to meet 23.1?

Also, as this is only enabled when Python 3.10 is available, "legacy certificates" won't get removed until we desupport Python 3.9, so it's hardly "legacy" in the sense we normally use the term...

Since this change should be additive for Python 3.10+ compared to Python 3.9 and earlier, do you see it being necessary to have Python 3.9 support removed before Python 3.10+ would always have this new behavior? In my mind, Python 3.9 and earlier wouldn't be dependent on this change moving forward.

@pfmoore
Copy link
Member

pfmoore commented Apr 10, 2023

I'm not particularly familiar with the use cases involved here, so I'm not the best person to comment - hopefully @uranusjr can help out.

One question I do have - is truststore now considered stable? In other words, are we safe to vendor it on the assumption that any issues (which have the potential to be security issues, I guess) will be handled via our usual "please report to the vendored project, we'll wait for them to issue a fix and then pick that up in our routine revendoring at our next scheduled release"? I ask because #11082 deliberately didn't vendor for this reason, and the release cadence still seems pretty fast to me.

I don't like the idea of an "always on" warning nagging people to use a new feature that may have no value to them. At least I assume that for a lot of people it will have no value - I've personally never had a problem because pip uses certifi rather than the system store. What are the target users for this feature, in fact? Presumably it's groups with custom indexes whose certificate is in the system store (managed corporately somehow) who are currently using a dedicated certificate file and who could drop it if they used the system store? So they have a bit of management overhead that they'd be glad to get rid of?

Conversely, what are the potential failure cases here? How could switching to use the system store cause something to fail that is currently working? Presumably one case would be "certificate expires and corporate are slow updating the system store"? If it's not obvious, I'm not a security specialist, so if these are dumb scenarios, feel free to ignore them and tell me what would be good ones. My concern here is people screaming "you broke my build pipeline" because there was a behaviour change that we hadn't told them about. Those people are typically the same ones who claim that adding an opt-out flag to all of their jobs isn't practical1.

Agreed, I'm thinking for 23.1 we could:

  • Vendor truststore 0.7.0 as we've proposed here to avoid the install
  • Start emitting a warning asking for opt-in for Python 3.10+?

I'll be honest, given that 23.1 is due at the end of this week, this still feels too much like trying to work out a solution under time pressure to me. I'm still inclined to say let's do nothing in 23.1 and get a proper plan in place after 23.1, so that it's ready to go in good time for 23.2 (and 23.3, if it needs a phased approach, as I feel it probably does).

Footnotes

  1. I'm not sure I believe the situation is as dire as it's often painted, but I'm not willing to fight that battle over this change in particular...

@pfmoore
Copy link
Member

pfmoore commented Apr 15, 2023

As there has been no further comments on this, I'm moving it to the 23.2 milestone.

@pfmoore pfmoore modified the milestones: 23.1, 23.2 Apr 15, 2023
@pfmoore
Copy link
Member

pfmoore commented Jun 25, 2023

There's been nothing further on this, and 23.2 is probably under a month away. @sethmlarson do you have any thoughts on how to proceed, or should we consider moving this to 23.3? I'm not (yet...) the RM for 23.3, but I'd be concerned about having this land at the last minute, just before a release. I know we don't do formal betas, but I still think it's better to get large features in earlier in the release cycle rather than later.

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Jun 27, 2023

@pfmoore Hey Paul, I agree that trying to get this PR in in it's current state wouldn't be a good idea. Apologies for not getting back to you sooner on this one.

One question I do have - is truststore now considered stable? In other words, are we safe to vendor it on the assumption that any issues (which have the potential to be security issues, I guess) will be handled via our usual "please report to the vendored project, we'll wait for them to issue a fix and then pick that up in our routine revendoring at our next scheduled release"? I ask because #11082 deliberately didn't vendor for this reason, and the release cadence still seems pretty fast to me.

I consider it so, the core functionality (and everything that pip would need) is working and we've received no complaints so far with modest usage. I can throw together a PR that only vendors the project and removes the installation instruction from the documentation if you're still okay with this approach.

Conversely, what are the potential failure cases here? How could switching to use the system store cause something to fail that is currently working?

In the general case switching from "certifi is trust store" to "system trust store with certifi supplementing" shouldn't have an impact on folks since the same root to leaf chains should be . I'm sure there are ways that users could get in trouble, like if the system trust store could be configured to avoid supplemental CAs or something like that but I'm not familiar with all the configuration options available on Windows and macOS to know what's possible here.

What are the target users for this feature, in fact?

In addition to all the benefits of an OS trust store over a static trust store, this change is part of an effort to put Python more in line with other ecosystems where the system trust store is used instead of a trust store that's distributed+updated+managed "out-of-band" compared to all other software on the system.

From the PEP 543 rationale on "why system trust stores":

Relying on certifi is less than ideal, as most system administrators do not expect to receive security-critical software updates from PyPI. Additionally, it is not easy to extend the certifi trust bundle to include custom roots, or to centrally manage trust using the certifi model.

Even in situations where the system certificate stores are made available to OpenSSL in some form, the experience is still sub-standard, as OpenSSL will perform different validation checks than the platform-native TLS implementation. This can lead to users experiencing different behaviour on their browsers or other platform-native tools than they experience in Python, with little or no recourse to resolve the problem.

@ichard26
Copy link
Member

@sethmlarson the 24.2 development period has started. Probably good time to update this PR (at least to pull in the CI fixes).

@ichard26 ichard26 closed this Jul 6, 2024
@ichard26 ichard26 reopened this Jul 6, 2024
@ichard26
Copy link
Member

ichard26 commented Jul 6, 2024

(kicking CI... fingers crossed)

src/pip/_internal/cli/index_command.py Outdated Show resolved Hide resolved
@pradyunsg pradyunsg force-pushed the truststore-by-default branch from 241100e to 0138f95 Compare July 9, 2024 23:46
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the docs could be even a bit clearer, but otherwise LGTM. Thank you!


return truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.load_verify_locations(certifi.where())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, what's the purpose of this addition?

Copy link
Contributor Author

@sethmlarson sethmlarson Jul 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was done to ensure that this change is backwards compatible, so now instead of only using certifi the trust store is the union of certifi and the system trust store.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. I was just confused AFAIU the codebase already falls back to certifi even without this line, but maybe that's not --use-feature=truststore did. 👍

docs/html/topics/https-certificates.md Outdated Show resolved Hide resolved
@ichard26
Copy link
Member

Windows CI is failing due to flaky tests I introduced earlier. They should be fixed once #12839 is merged. Sorry about the trouble!

@pradyunsg pradyunsg force-pushed the truststore-by-default branch from 0750a8d to 69874c7 Compare July 13, 2024 21:40
@pradyunsg
Copy link
Member

Oh fun. It obviously doesn't sign commits made on the web UI for others.

@sethmlarson
Copy link
Contributor Author

@pradyunsg Looks like the rebase has a passing test suite, ready to merge whenever :)

@pradyunsg pradyunsg merged commit 8eadcab into pypa:main Jul 19, 2024
28 checks passed
@ichard26
Copy link
Member

Thank you for the patience, and congratulations on the merge @sethmlarson. 🎉

@sethmlarson sethmlarson deleted the truststore-by-default branch July 22, 2024 14:33
mergify bot pushed a commit to aws/jsii that referenced this pull request Jul 29, 2024
…k/test/generated-code (#4584)

Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>24.2 (2024-07-28)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code>
when using a setuptools version that does not support :pep:<code>660</code>
(setuptools v63 and older). (<code>[#11457](pypa/pip#11457) &lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) &lt;https://github.com/pypa/pip/issues/11054&gt;</code>_)</p>
</li>
<li>
<p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.</p>
<p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) &lt;https://github.com/pypa/pip/issues/11647&gt;</code>_)</p>
</li>
<li>
<p>Improve discovery performance of installed packages when the <code>importlib.metadata</code>
backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) &lt;https://github.com/pypa/pip/issues/12656&gt;</code>_)</p>
</li>
<li>
<p>Improve performance when the same requirement string appears many times during
resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) &lt;https://github.com/pypa/pip/issues/12663&gt;</code>_)</p>
</li>
<li>
<p>Minor performance improvement of finding applicable package candidates by not
repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) &lt;https://github.com/pypa/pip/issues/12664&gt;</code>_)</p>
</li>
<li>
<p>Disable pip's self version check when invoking a pip subprocess to install
PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) &lt;https://github.com/pypa/pip/issues/12683&gt;</code>_)</p>
</li>
<li>
<p>Improve dependency resolution performance by caching platform compatibility
tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) &lt;https://github.com/pypa/pip/issues/12712&gt;</code>_)</p>
</li>
<li>
<p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>.
<code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code>
hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) &lt;https://github.com/pypa/pip/issues/12728&gt;</code>_)</p>
</li>
<li>
<p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) &lt;https://github.com/pypa/pip/issues/12842&gt;</code>_)</p>
</li>
<li>
<p>Improve package download and install performance.</p>
<p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) &lt;https://github.com/pypa/pip/issues/12810&gt;</code>_)</p>
</li>
<li>
<p>Improve pip install performance.</p>
<p>Files are now extracted in 1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when extracting 0 bytes files,
it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) &lt;https://github.com/pypa/pip/issues/12803&gt;</code>_)</p>
</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) &lt;https://github.com/pypa/pip/issues/11045&gt;</code>_)</li>
<li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) &lt;https://github.com/pypa/pip/issues/12216&gt;</code>_)</li>
<li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) &lt;https://github.com/pypa/pip/issues/12680&gt;</code>_)</li>
<li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) &lt;https://github.com/pypa/pip/issues/12716&gt;</code>_)</li>
<li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) &lt;https://github.com/pypa/pip/issues/12751&gt;</code>_)</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li>
<li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li>
<li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li>
<li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li>
<li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li>
<li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
mergify bot pushed a commit to aws/jsii that referenced this pull request Jul 29, 2024
…s/@jsii/python-runtime (#4588)

Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>24.2 (2024-07-28)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code>
when using a setuptools version that does not support :pep:<code>660</code>
(setuptools v63 and older). (<code>[#11457](pypa/pip#11457) &lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) &lt;https://github.com/pypa/pip/issues/11054&gt;</code>_)</p>
</li>
<li>
<p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.</p>
<p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) &lt;https://github.com/pypa/pip/issues/11647&gt;</code>_)</p>
</li>
<li>
<p>Improve discovery performance of installed packages when the <code>importlib.metadata</code>
backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) &lt;https://github.com/pypa/pip/issues/12656&gt;</code>_)</p>
</li>
<li>
<p>Improve performance when the same requirement string appears many times during
resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) &lt;https://github.com/pypa/pip/issues/12663&gt;</code>_)</p>
</li>
<li>
<p>Minor performance improvement of finding applicable package candidates by not
repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) &lt;https://github.com/pypa/pip/issues/12664&gt;</code>_)</p>
</li>
<li>
<p>Disable pip's self version check when invoking a pip subprocess to install
PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) &lt;https://github.com/pypa/pip/issues/12683&gt;</code>_)</p>
</li>
<li>
<p>Improve dependency resolution performance by caching platform compatibility
tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) &lt;https://github.com/pypa/pip/issues/12712&gt;</code>_)</p>
</li>
<li>
<p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>.
<code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code>
hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) &lt;https://github.com/pypa/pip/issues/12728&gt;</code>_)</p>
</li>
<li>
<p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) &lt;https://github.com/pypa/pip/issues/12842&gt;</code>_)</p>
</li>
<li>
<p>Improve package download and install performance.</p>
<p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) &lt;https://github.com/pypa/pip/issues/12810&gt;</code>_)</p>
</li>
<li>
<p>Improve pip install performance.</p>
<p>Files are now extracted in 1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when extracting 0 bytes files,
it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) &lt;https://github.com/pypa/pip/issues/12803&gt;</code>_)</p>
</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) &lt;https://github.com/pypa/pip/issues/11045&gt;</code>_)</li>
<li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) &lt;https://github.com/pypa/pip/issues/12216&gt;</code>_)</li>
<li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) &lt;https://github.com/pypa/pip/issues/12680&gt;</code>_)</li>
<li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) &lt;https://github.com/pypa/pip/issues/12716&gt;</code>_)</li>
<li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) &lt;https://github.com/pypa/pip/issues/12751&gt;</code>_)</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li>
<li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li>
<li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li>
<li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li>
<li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li>
<li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1...24.2">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this pull request Jul 29, 2024
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>24.2 (2024-07-28)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code>
when using a setuptools version that does not support :pep:<code>660</code>
(setuptools v63 and older). (<code>[#11457](pypa/pip#11457) &lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) &lt;https://github.com/pypa/pip/issues/11054&gt;</code>_)</p>
</li>
<li>
<p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.</p>
<p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) &lt;https://github.com/pypa/pip/issues/11647&gt;</code>_)</p>
</li>
<li>
<p>Improve discovery performance of installed packages when the <code>importlib.metadata</code>
backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) &lt;https://github.com/pypa/pip/issues/12656&gt;</code>_)</p>
</li>
<li>
<p>Improve performance when the same requirement string appears many times during
resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) &lt;https://github.com/pypa/pip/issues/12663&gt;</code>_)</p>
</li>
<li>
<p>Minor performance improvement of finding applicable package candidates by not
repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) &lt;https://github.com/pypa/pip/issues/12664&gt;</code>_)</p>
</li>
<li>
<p>Disable pip's self version check when invoking a pip subprocess to install
PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) &lt;https://github.com/pypa/pip/issues/12683&gt;</code>_)</p>
</li>
<li>
<p>Improve dependency resolution performance by caching platform compatibility
tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) &lt;https://github.com/pypa/pip/issues/12712&gt;</code>_)</p>
</li>
<li>
<p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>.
<code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code>
hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) &lt;https://github.com/pypa/pip/issues/12728&gt;</code>_)</p>
</li>
<li>
<p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) &lt;https://github.com/pypa/pip/issues/12842&gt;</code>_)</p>
</li>
<li>
<p>Improve package download and install performance.</p>
<p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) &lt;https://github.com/pypa/pip/issues/12810&gt;</code>_)</p>
</li>
<li>
<p>Improve pip install performance.</p>
<p>Files are now extracted in 1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when extracting 0 bytes files,
it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) &lt;https://github.com/pypa/pip/issues/12803&gt;</code>_)</p>
</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) &lt;https://github.com/pypa/pip/issues/11045&gt;</code>_)</li>
<li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) &lt;https://github.com/pypa/pip/issues/12216&gt;</code>_)</li>
<li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) &lt;https://github.com/pypa/pip/issues/12680&gt;</code>_)</li>
<li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) &lt;https://github.com/pypa/pip/issues/12716&gt;</code>_)</li>
<li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) &lt;https://github.com/pypa/pip/issues/12751&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li>
<li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li>
<li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li>
<li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li>
<li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li>
<li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this pull request Jul 29, 2024
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>24.2 (2024-07-28)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate <code>pip install --editable</code> falling back to <code>setup.py develop</code>
when using a setuptools version that does not support :pep:<code>660</code>
(setuptools v63 and older). (<code>[#11457](pypa/pip#11457) &lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Check unsupported packages for the current platform. (<code>[#11054](pypa/pip#11054) &lt;https://github.com/pypa/pip/issues/11054&gt;</code>_)</p>
</li>
<li>
<p>Use system certificates <em>and</em> certifi certificates to verify HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.</p>
<p>To revert to previous behaviour, pass the flag <code>--use-deprecated=legacy-certs</code>. (<code>[#11647](pypa/pip#11647) &lt;https://github.com/pypa/pip/issues/11647&gt;</code>_)</p>
</li>
<li>
<p>Improve discovery performance of installed packages when the <code>importlib.metadata</code>
backend is used to load distribution metadata (used by default under Python 3.11+). (<code>[#12656](pypa/pip#12656) &lt;https://github.com/pypa/pip/issues/12656&gt;</code>_)</p>
</li>
<li>
<p>Improve performance when the same requirement string appears many times during
resolution, by consistently caching the parsed requirement string. (<code>[#12663](pypa/pip#12663) &lt;https://github.com/pypa/pip/issues/12663&gt;</code>_)</p>
</li>
<li>
<p>Minor performance improvement of finding applicable package candidates by not
repeatedly calculating their versions (<code>[#12664](pypa/pip#12664) &lt;https://github.com/pypa/pip/issues/12664&gt;</code>_)</p>
</li>
<li>
<p>Disable pip's self version check when invoking a pip subprocess to install
PEP 517 build requirements. (<code>[#12683](pypa/pip#12683) &lt;https://github.com/pypa/pip/issues/12683&gt;</code>_)</p>
</li>
<li>
<p>Improve dependency resolution performance by caching platform compatibility
tags during wheel cache lookup. (<code>[#12712](pypa/pip#12712) &lt;https://github.com/pypa/pip/issues/12712&gt;</code>_)</p>
</li>
<li>
<p><code>wheel</code> is no longer explicitly listed as a build dependency of <code>pip</code>.
<code>setuptools</code> injects this dependency in the <code>get_requires_for_build_wheel()</code>
hook and no longer needs it on newer versions. (<code>[#12728](pypa/pip#12728) &lt;https://github.com/pypa/pip/issues/12728&gt;</code>_)</p>
</li>
<li>
<p>Ignore <code>--require-virtualenv</code> for <code>pip check</code> and <code>pip freeze</code> (<code>[#12842](pypa/pip#12842) &lt;https://github.com/pypa/pip/issues/12842&gt;</code>_)</p>
</li>
<li>
<p>Improve package download and install performance.</p>
<p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar. (<code>[#12810](pypa/pip#12810) &lt;https://github.com/pypa/pip/issues/12810&gt;</code>_)</p>
</li>
<li>
<p>Improve pip install performance.</p>
<p>Files are now extracted in 1MB blocks, or in one block matching the file size for
smaller files. A decompressor is no longer instantiated when extracting 0 bytes files,
it is not necessary because there is no data to decompress. (<code>[#12803](pypa/pip#12803) &lt;https://github.com/pypa/pip/issues/12803&gt;</code>_)</p>
</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Set <code>no_color</code> to global <code>rich.Console</code> instance. (<code>[#11045](pypa/pip#11045) &lt;https://github.com/pypa/pip/issues/11045&gt;</code>_)</li>
<li>Fix resolution to respect <code>--python-version</code> when checking <code>Requires-Python</code>. (<code>[#12216](pypa/pip#12216) &lt;https://github.com/pypa/pip/issues/12216&gt;</code>_)</li>
<li>Perform hash comparisons in a case-insensitive manner. (<code>[#12680](pypa/pip#12680) &lt;https://github.com/pypa/pip/issues/12680&gt;</code>_)</li>
<li>Avoid <code>dlopen</code> failure for glibc detection in musl builds (<code>[#12716](pypa/pip#12716) &lt;https://github.com/pypa/pip/issues/12716&gt;</code>_)</li>
<li>Avoid keyring logging crashes when pip is run in verbose mode. (<code>[#12751](pypa/pip#12751) &lt;https://github.com/pypa/pip/issues/12751&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a> Bump the github-actions group with 2 updates (<a href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a> Update dependabot.yml to bump group updates (<a href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from hellozee/fix-unit-test</li>
<li><a href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a> Fix invalid origin test to check all the logged messages</li>
<li><a href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from pradyunsg/better-exception-handling-around-sel...</li>
<li><a href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a> Properly mock <code>_self_version_check_logic</code></li>
<li><a href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a> Rework how <code>--debug</code> is handled in <code>main</code></li>
<li><a href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a> Move exception suppression to cover more of self-version-check logic</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
kai687 pushed a commit to kai687/sphinxawesome-theme that referenced this pull request Aug 5, 2024
Bumps [pip](https://github.com/pypa/pip) from 24.1.2 to 24.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>24.2 (2024-07-28)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate <code>pip install --editable</code> falling back to
<code>setup.py develop</code>
when using a setuptools version that does not support
:pep:<code>660</code>
(setuptools v63 and older).
(<code>[#11457](pypa/pip#11457)
&lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Check unsupported packages for the current platform.
(<code>[#11054](pypa/pip#11054)
&lt;https://github.com/pypa/pip/issues/11054&gt;</code>_)</p>
</li>
<li>
<p>Use system certificates <em>and</em> certifi certificates to verify
HTTPS connections on Python 3.10+.
Python 3.9 and earlier only use certifi.</p>
<p>To revert to previous behaviour, pass the flag
<code>--use-deprecated=legacy-certs</code>.
(<code>[#11647](pypa/pip#11647)
&lt;https://github.com/pypa/pip/issues/11647&gt;</code>_)</p>
</li>
<li>
<p>Improve discovery performance of installed packages when the
<code>importlib.metadata</code>
backend is used to load distribution metadata (used by default under
Python 3.11+). (<code>[#12656](pypa/pip#12656)
&lt;https://github.com/pypa/pip/issues/12656&gt;</code>_)</p>
</li>
<li>
<p>Improve performance when the same requirement string appears many
times during
resolution, by consistently caching the parsed requirement string.
(<code>[#12663](pypa/pip#12663)
&lt;https://github.com/pypa/pip/issues/12663&gt;</code>_)</p>
</li>
<li>
<p>Minor performance improvement of finding applicable package
candidates by not
repeatedly calculating their versions
(<code>[#12664](pypa/pip#12664)
&lt;https://github.com/pypa/pip/issues/12664&gt;</code>_)</p>
</li>
<li>
<p>Disable pip's self version check when invoking a pip subprocess to
install
PEP 517 build requirements.
(<code>[#12683](pypa/pip#12683)
&lt;https://github.com/pypa/pip/issues/12683&gt;</code>_)</p>
</li>
<li>
<p>Improve dependency resolution performance by caching platform
compatibility
tags during wheel cache lookup.
(<code>[#12712](pypa/pip#12712)
&lt;https://github.com/pypa/pip/issues/12712&gt;</code>_)</p>
</li>
<li>
<p><code>wheel</code> is no longer explicitly listed as a build
dependency of <code>pip</code>.
<code>setuptools</code> injects this dependency in the
<code>get_requires_for_build_wheel()</code>
hook and no longer needs it on newer versions.
(<code>[#12728](pypa/pip#12728)
&lt;https://github.com/pypa/pip/issues/12728&gt;</code>_)</p>
</li>
<li>
<p>Ignore <code>--require-virtualenv</code> for <code>pip check</code>
and <code>pip freeze</code>
(<code>[#12842](pypa/pip#12842)
&lt;https://github.com/pypa/pip/issues/12842&gt;</code>_)</p>
</li>
<li>
<p>Improve package download and install performance.</p>
<p>Increase chunk sizes when downloading (256 kB, up from 10 kB) and
reading files (1 MB, up from 8 kB).
This reduces the frequency of updates to pip's progress bar.
(<code>[#12810](pypa/pip#12810)
&lt;https://github.com/pypa/pip/issues/12810&gt;</code>_)</p>
</li>
<li>
<p>Improve pip install performance.</p>
<p>Files are now extracted in 1MB blocks, or in one block matching the
file size for
smaller files. A decompressor is no longer instantiated when extracting
0 bytes files,
it is not necessary because there is no data to decompress.
(<code>[#12803](pypa/pip#12803)
&lt;https://github.com/pypa/pip/issues/12803&gt;</code>_)</p>
</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Set <code>no_color</code> to global <code>rich.Console</code>
instance. (<code>[#11045](pypa/pip#11045)
&lt;https://github.com/pypa/pip/issues/11045&gt;</code>_)</li>
<li>Fix resolution to respect <code>--python-version</code> when
checking <code>Requires-Python</code>.
(<code>[#12216](pypa/pip#12216)
&lt;https://github.com/pypa/pip/issues/12216&gt;</code>_)</li>
<li>Perform hash comparisons in a case-insensitive manner.
(<code>[#12680](pypa/pip#12680)
&lt;https://github.com/pypa/pip/issues/12680&gt;</code>_)</li>
<li>Avoid <code>dlopen</code> failure for glibc detection in musl builds
(<code>[#12716](pypa/pip#12716)
&lt;https://github.com/pypa/pip/issues/12716&gt;</code>_)</li>
<li>Avoid keyring logging crashes when pip is run in verbose mode.
(<code>[#12751](pypa/pip#12751)
&lt;https://github.com/pypa/pip/issues/12751&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/97146c7f4cd85551f3dc261830a57f304e43c181"><code>97146c7</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/ef81b2eafd390fb56f62930dcd74f6e4580093e0"><code>ef81b2e</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/350a0570a88b6c0d13c68f81ac08dc64f954cadf"><code>350a057</code></a>
Bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/pypa/pip/issues/12876">#12876</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/184390f4f2cde0316801eb701f49dda4f7a9a6ac"><code>184390f</code></a>
Update dependabot.yml to bump group updates (<a
href="https://redirect.github.com/pypa/pip/issues/12572">#12572</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/48917f1c0375496058d677f652a90de6bee4dc8c"><code>48917f1</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12875">#12875</a> from
hellozee/fix-unit-test</li>
<li><a
href="https://github.com/pypa/pip/commit/dd85c28464dbfc9b3a53c885a41c209e4700ad2d"><code>dd85c28</code></a>
Fix invalid origin test to check all the logged messages</li>
<li><a
href="https://github.com/pypa/pip/commit/203780b5d167c4d01c55df7adc91d5ad1a0563aa"><code>203780b</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12865">#12865</a> from
pradyunsg/better-exception-handling-around-sel...</li>
<li><a
href="https://github.com/pypa/pip/commit/e50314134886d5eb5b650b3ce95abaafcb6dce10"><code>e503141</code></a>
Properly mock <code>_self_version_check_logic</code></li>
<li><a
href="https://github.com/pypa/pip/commit/3518d3293445ad43eedba116b6182185c03abda3"><code>3518d32</code></a>
Rework how <code>--debug</code> is handled in <code>main</code></li>
<li><a
href="https://github.com/pypa/pip/commit/be21d82e4362c00aab451ef1cf212d9a62f8e58e"><code>be21d82</code></a>
Move exception suppression to cover more of self-version-check
logic</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/24.1.2...24.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=24.1.2&new-version=24.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants