Skip to content

Update dependency pip to v26 [SECURITY]#58

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability
Open

Update dependency pip to v26 [SECURITY]#58
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pip (changelog) ~=24.0~=26.0 age adoption passing confidence
pip (changelog) ==24.0==26.0 age adoption passing confidence

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

BIT-pip-2025-8869 / CVE-2025-8869 / GHSA-4xh5-x5gv-qwph

More information

Details

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pip Path Traversal vulnerability

CVE-2026-1703 / GHSA-6vgw-5pg2-w6jp

More information

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pypa/pip (pip)

v26.0

Compare Source

v25.3

Compare Source

v25.2

Compare Source

v25.1.1

Compare Source

v25.1

Compare Source

v25.0.1

Compare Source

v25.0

Compare Source

v24.3.1

Compare Source

v24.3

Compare Source

v24.2

Compare Source

v24.1.2

Compare Source

v24.1.1

Compare Source

v24.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovatebot label Oct 26, 2025
@renovate renovate bot requested a review from a team as a code owner October 26, 2025 04:17
@renovate
Copy link
Contributor Author

renovate bot commented Oct 26, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: model-servers/vllm/0.11.0/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-ny9543z8-requirements/pipenv-pqkrhhrg-constraints.txt 
(line 33) and filelock~=3.14.0 because these package versions have conflicting 
dependencies.
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts

Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 65, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1039, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 875, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.4/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-telyh3e1-requirements/pipenv-g04x7tq7-constraints.txt 
(line 5), -r /tmp/pipenv-telyh3e1-requirements/pipenv-g04x7tq7-constraints.txt 
(line 9) and transformers~=4.40.2 because these package versions have 
conflicting dependencies.
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts

Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 65, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1039, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 875, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.6/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-is3oh4ud-requirements/pipenv-q6hg9mpc-constraints.txt 
(line 33) and transformers~=4.40.2 because these package versions have 
conflicting dependencies.
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts

Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 65, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1039, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 875, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.8.4/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-qkd43m2l-requirements/pipenv-421u62m7-constraints.txt 
(line 6), -r /tmp/pipenv-qkd43m2l-requirements/pipenv-421u62m7-constraints.txt 
(line 8) and torch==2.3.0+cu121 because these package versions have conflicting 
dependencies.
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts

Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 65, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1039, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.0.3/3.11.14/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 875, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!

@renovate renovate bot added the renovatebot label Oct 26, 2025
@renovate
Update dependency pip to v26 [SECURITY]
b9d33e4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 4ed7f89 to b9d33e4 Compare February 3, 2026 20:12
@renovate renovate bot changed the title Update dependency pip to v25 [SECURITY] Update dependency pip to v26 [SECURITY] Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovatebot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants