forked from pool/python-pip
Update to 26.0.1 (bsc#1257599, CVE-2026-1703)
This commit is contained in:
@@ -1,3 +1,165 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 5 06:51:28 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Update to 26.0.1:
|
||||
* Fix --pre not being respected from the command line when a
|
||||
requirement file includes an option e.g. -extra-index-url.
|
||||
(#13788)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 3 09:10:32 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add %{?pythons_for_pypi} macro, to be used in Leap 16.x for short
|
||||
term interpreter.
|
||||
- Drop upstreamed patch flit-core.patch
|
||||
|
||||
- Update to 26.0 (bsc#1257599, CVE-2026-1703):
|
||||
# Deprecations and Removals
|
||||
- Remove support for non-bare project names in egg fragments.
|
||||
Affected users should use the Direct URL requirement syntax.
|
||||
(#13157)
|
||||
# Features
|
||||
- Display pip’s command-line help in colour, if possible. (#12134)
|
||||
- Support installing dependencies declared with inline script
|
||||
metadata (PEP 723) with --requirements-from-script. (#12891)
|
||||
- Add --all-releases and --only-final options to control pre-release
|
||||
and final release selection during package installation. (#13221)
|
||||
- Add --uploaded-prior-to option to only consider packages uploaded
|
||||
prior to a given datetime when the upload-time field is available
|
||||
from a remote index. (#13625)
|
||||
- Add --use-feature inprocess-build-deps to request that build
|
||||
dependencies are installed within the same pip install process.
|
||||
This new mechanism is faster, supports --no-clean and
|
||||
--no-cache-dir reliably, and supports prompting for
|
||||
authentication.
|
||||
- Enabling this feature will also enable --use-feature
|
||||
build-constraints. This feature will become the default in a
|
||||
future pip version. (#9081)
|
||||
- pip cache purge and pip cache remove now clean up empty
|
||||
directories and legacy files left by older pip versions. (#9058)
|
||||
# Bug Fixes
|
||||
- Fix selecting pre-release versions when only pre-releases match.
|
||||
For example, package>1.0 with versions 1.0, 2.0rc1 now installs
|
||||
2.0rc1 instead of failing. (#13746)
|
||||
- Revisions in version control URLs now must be percent-encoded. For
|
||||
example, use git+https://example.com/repo.git@issue%231 to specify
|
||||
the branch issue#1. If you previously used a branch name
|
||||
containing a % character in a version control URL, you now need to
|
||||
replace it with %25 to ensure correct percent-encoding. (#13407)
|
||||
- Preserve original casing when a path is displayed. (#6823)
|
||||
- Fix bash completion when the $IFS variable has been modified from
|
||||
its default. (#13555)
|
||||
- Precompute Python requirements on each candidate, reducing time of
|
||||
long resolutions. (#13656)
|
||||
- Skip redundant work converting version objects to strings when
|
||||
using the importlib.metadata backend. (#13660)
|
||||
- Fix pip index versions to honor only-binary/no-binary options.
|
||||
(#13682)
|
||||
- Fix fallthrough logic for options, allowing overriding global
|
||||
options with defaults from user config. (#13703)
|
||||
- Use a path-segment prefix comparison, not char-by-char. (#13777)
|
||||
|
||||
- 25.3:
|
||||
# Deprecations and Removals
|
||||
- Remove support for the legacy setup.py develop editable method in
|
||||
setuptools editable installs; setuptools >= 64 is now required.
|
||||
(#11457)
|
||||
- Remove the deprecated --global-option and --build-option.
|
||||
--config-setting is now the only way to pass options to the build
|
||||
backend. (#11859)
|
||||
- Deprecate the PIP_CONSTRAINT environment variable for specifying
|
||||
build constraints.
|
||||
- Use the --build-constraint option or the PIP_BUILD_CONSTRAINT
|
||||
environment variable instead. When build constraints are used,
|
||||
PIP_CONSTRAINT no longer affects isolated build environments. To
|
||||
enable this behavior without specifying any build constraints, use
|
||||
--use-feature=build-constraint. (#13534)
|
||||
- Remove support for non-standard legacy wheel filenames. (#13581)
|
||||
- Remove support for the deprecated setup.py bdist_wheel mechanism.
|
||||
Consequently, --use-pep517 is now always on, and --no-use-pep517
|
||||
has been removed. (#6334)
|
||||
# Features
|
||||
- When PEP 658 metadata is available, full distribution files are no
|
||||
longer downloaded when using pip lock or pip install --dry-run.
|
||||
(#12603)
|
||||
- Add support for installing an editable requirement written as a
|
||||
Direct URL (PackageName @ URL). (#13495)
|
||||
- Add support for build constraints via the --build-constraint
|
||||
option. This allows constraining the versions of packages used
|
||||
during the build process (e.g., setuptools) without affecting the
|
||||
final installation. (#13534)
|
||||
- On ResolutionImpossible errors, include a note about causes with
|
||||
no candidates. (#13588)
|
||||
- Building pip itself from source now uses flit-core instead of
|
||||
setuptools. This does not affect how pip installs or builds
|
||||
packages you use. (#13473)
|
||||
# Bug Fixes
|
||||
- Handle malformed Version metadata entries and show a sensible
|
||||
error message instead of crashing. (#13443)
|
||||
- Permit spaces between a filepath and extras in an install
|
||||
requirement. (#13523)
|
||||
- Ensure the self-check files in the cache have the same permissions
|
||||
as the rest of the cache. (#13528)
|
||||
- Avoid concurrency issues and improve performance when caching
|
||||
locally built wheels, especially when the temporary build
|
||||
directory is on a different filesystem than the cache. The wheel
|
||||
directory passed to the build backend is now a temporary
|
||||
subdirectory inside the cache directory. (#13540)
|
||||
- Include relevant user-supplied constraints in logs when reporting
|
||||
dependency conflicts. (#13545)
|
||||
- Fix a regression in configuration parsing that was turning a
|
||||
single value into a list and thus leading to a validation error.
|
||||
(#13548)
|
||||
- For Python versions that do not support PEP 706, pip will now
|
||||
raise an installation error for a source distribution when it
|
||||
includes a symlink that points outside the source distribution
|
||||
archive. (#13550)
|
||||
- Prevent --user installs if site.ENABLE_USER_SITE is set to False.
|
||||
(#8794)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 13 12:25:02 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- update to 25.2
|
||||
# 25.1
|
||||
* Drop support for Python 3.8.
|
||||
* On python 3.14+, the pkg_resources metadata backend cannot be used
|
||||
anymore.
|
||||
* Hide --no-python-version-warning from CLI help and documentation
|
||||
as it's useless since Python 2 support was removed.
|
||||
* A warning is emitted when the deprecated pkg_resources library is
|
||||
used to inspect and discover installed packages.
|
||||
* Deprecate the legacy setup.py bdist_wheel mechanism. To silence
|
||||
the warning, and future-proof their setup, users should enable
|
||||
--use-pep517 or add a pyproject.toml file to the projects they
|
||||
control.
|
||||
* Using --debug also enables verbose logging.
|
||||
* Display a transient progress bar during package installation.
|
||||
* Add a --group option which allows installation from PEP 735
|
||||
Dependency Groups.
|
||||
* Use PEP 753 "Well-known Project URLs in Metadata" normalization
|
||||
rules when identifying an equivalent project URL to replace
|
||||
a missing Home-Page field in pip show.
|
||||
* Add a new, experimental, pip lock command, implementing PEP 751.
|
||||
* Resolvelib 1.1.0 fixes a known issue where pip would report a
|
||||
ResolutionImpossible error even though there is a valid solution.
|
||||
However, some very complex dependency resolutions that previously
|
||||
resolved may resolve slower or fail with an ResolutionTooDeep error.
|
||||
# 25.2
|
||||
* Declare support for Python 3.14
|
||||
* Automatic download resumption and retrying is enabled by default.
|
||||
* Requires-Python error message displays version clauses in numerical
|
||||
order.
|
||||
* Show time taken instead of eta 0:00:00 at download completion.
|
||||
* Remove warning when cloning from a Git reference that does not look
|
||||
like a commit hash.
|
||||
* pip's own licensing metadata now follows PEP 639. In addition, the
|
||||
licenses of pip's vendored dependencies are now included in the
|
||||
License-File metadata field and in the wheel.
|
||||
- Drop no-longer-applicable distutils-reproducible-compile.patch
|
||||
* distlib was trimmed https://github.com/pypa/pip/pull/13342
|
||||
- Add upstream flit-core.patch to fix build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 17 12:40:51 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user