Update bundled Pip wheel to resolve CVE-2024-37891 #2789
Description
Virtualenv currently bundles pip 24.2
Pip 24.2 is bundled with urllib3==1.26.18 which is vulnerable to CVE-2024-37891
Pip 24.3.1 released yesterday and it uses urllib3==1.26.20 which resolves the above CVE
GitHub Release: https://github.com/pypa/pip/releases/tag/24.3.1
Wheel Download: https://pypi.org/project/pip/24.3.1/#files
Please upgrade the bundled pip wheel to 24.3.1 to ensure that this vulnerability can not be exploited in virtualenv.
I understand that this vulnerability requires a very specific set of circumstances to exploit, but because virtualenv is such a fundamental part of Python development, it would be nice to avoid even a contrived vulnerability.
If possible, can this also be included in a release?