bpo-46985: Upgrade bundled pip to 22.0.4 #31819
Conversation
|
If someone wants to validate the file I've added here, you can download it directly from GitHub 1 and verify that the hash matches what's on PyPI. Or... You can trust that I'm not trying to inject malicious code into CPython. :) Footnotes |
Also looking forward to backporting this to 3.9 to quelch a warning on distutils/sysconfig behaviour mismatch.
|
IIUC, we should probably backport this all the way down to 3.7. |
|
I’m not sure what the backporting strategy is, but only 3.9 and 3.10 are showing the distutils warning from ensurepip right now, so that’s what I care most. |
|
Seems like we haven't upgraded the bundled pip/setuptools on the security fix branches in the past (e.g. #25576). |
|
Alrighty, then backporting down to 3.9 it is! :) |
|
There appear to be a couple of security issues that have been fixed in some of the vendored packages within the pip wheel (for example, CVE-2021-33503 in urllib3) since the 3.8 and 3.7 branches were last updated so I think it would be better to backport to them. I'll defer to @ambv for 3.8 but 3.7 is even older. |
|
Thanks @pradyunsg for the PR, and @ned-deily for merging it |
|
GH-31849 is a backport of this pull request to the 3.10 branch. |
|
Sorry, @pradyunsg and @ned-deily, I could not cleanly backport this to |
(cherry picked from commit d87f1b7) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
|
Sorry @pradyunsg and @ned-deily, I had trouble checking out the |
|
GH-31850 is a backport of this pull request to the 3.9 branch. |
(cherry picked from commit d87f1b7) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
(cherry picked from commit d87f1b7)
|
GH-31851 is a backport of this pull request to the 3.8 branch. |
|
GH-31852 is a backport of this pull request to the 3.7 branch. |
(cherry picked from commit d87f1b7)
* main: (94 commits) Revert "bpo-46986: Upgrade bundled setuptools to 60.9.3 (pythonGH-31820)" (pythonGH-31879) bpo-30677: [doc] mention that os.mkdir() can raise FileNotFoundError (pythonGH-31548) git ignore Lib/site-packages (pythonGH-31862) bpo-31415: importtime was made by Inada Naoki (pythonGH-31875) bpo-46920: Remove code that has explainers why it was disabled (pythonGH-31813) bpo-46920: Remove disabled debug code added decades ago and likely unnecessary (pythonGH-31812) bpo-46920: Remove code that has no explainer why it was disabled (pythonGH-31814) bpo-46906: Mention native endian in PyFloat_Pack8() doc (pythonGH-31866) bpo-40280: select: Use NULL for empty fdset (pythonGH-31865) CI: Fix patchcheck (pythonGH-31708) bpo-46987: Remove _PySys_GetObjectId / _PySys_GetObjectId (pythonGH-31835) bpo-46994: Accept explicit contextvars.Context in asyncio create_task() API (pythonGH-31837) bpo-39829: Fix `__len__()` is called twice in list() constructor (pythonGH-31816) bpo-47003: Cleanup _overlapped module (pythonGH-31848) bpo-47004: Sync with importlib_metadata 4.11.3. (python#31854) bpo-46986: Upgrade bundled setuptools to 60.9.3 (pythonGH-31820) bpo-46985: Upgrade bundled pip to 22.0.4 (pythonGH-31819) bpo-46805: Add low level UDP socket functions to asyncio (pythonGH-31455) bpo-46995: Deprecate missing asyncio.Task.set_name() for third-party task implementations (pythonGH-31838) bpo-43215: Document Happy Eyeballs args of asyncio.open_connection (pythonGH-24525) ...
* main: (94 commits) Revert "bpo-46986: Upgrade bundled setuptools to 60.9.3 (pythonGH-31820)" (pythonGH-31879) bpo-30677: [doc] mention that os.mkdir() can raise FileNotFoundError (pythonGH-31548) git ignore Lib/site-packages (pythonGH-31862) bpo-31415: importtime was made by Inada Naoki (pythonGH-31875) bpo-46920: Remove code that has explainers why it was disabled (pythonGH-31813) bpo-46920: Remove disabled debug code added decades ago and likely unnecessary (pythonGH-31812) bpo-46920: Remove code that has no explainer why it was disabled (pythonGH-31814) bpo-46906: Mention native endian in PyFloat_Pack8() doc (pythonGH-31866) bpo-40280: select: Use NULL for empty fdset (pythonGH-31865) CI: Fix patchcheck (pythonGH-31708) bpo-46987: Remove _PySys_GetObjectId / _PySys_GetObjectId (pythonGH-31835) bpo-46994: Accept explicit contextvars.Context in asyncio create_task() API (pythonGH-31837) bpo-39829: Fix `__len__()` is called twice in list() constructor (pythonGH-31816) bpo-47003: Cleanup _overlapped module (pythonGH-31848) bpo-47004: Sync with importlib_metadata 4.11.3. (python#31854) bpo-46986: Upgrade bundled setuptools to 60.9.3 (pythonGH-31820) bpo-46985: Upgrade bundled pip to 22.0.4 (pythonGH-31819) bpo-46805: Add low level UDP socket functions to asyncio (pythonGH-31455) bpo-46995: Deprecate missing asyncio.Task.set_name() for third-party task implementations (pythonGH-31838) bpo-43215: Document Happy Eyeballs args of asyncio.open_connection (pythonGH-24525) ...
That matches the hash on PyPI: https://pypi.org/project/pip/#copy-hash-modal-3c7d56c4-b870-46df-b7ea-70d95882728f
https://bugs.python.org/issue46985