pip 25.2__py3-none-any.whl → 26.0__py3-none-any.whl

pip/_internal/utils/unpacking.py

@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
     abs_directory = os.path.abspath(directory)
     abs_target = os.path.abspath(target)
 
-    prefix = os.path.commonprefix([abs_directory, abs_target])
+    prefix = os.path.commonpath([abs_directory, abs_target])
     return prefix == abs_directory
 
 
@@ -248,6 +248,20 @@ def untar_file(filename: str, location: str) -> None:
         tar.close()
 
 
+def is_symlink_target_in_tar(tar: tarfile.TarFile, tarinfo: tarfile.TarInfo) -> bool:
+    """Check if the file pointed to by the symbolic link is in the tar archive"""
+    linkname = os.path.join(os.path.dirname(tarinfo.name), tarinfo.linkname)
+
+    linkname = os.path.normpath(linkname)
+    linkname = linkname.replace("\\", "/")
+
+    try:
+        tar.getmember(linkname)
+        return True
+    except KeyError:
+        return False
+
+
 def _untar_without_filter(
     filename: str,
     location: str,
@@ -255,6 +269,9 @@ def _untar_without_filter(
     leading: bool,
 ) -> None:
     """Fallback for Python without tarfile.data_filter"""
+    # NOTE: This function can be removed once pip requires CPython ≥ 3.12.​
+    # PEP 706 added tarfile.data_filter, made tarfile extraction operations more secure.
+    # This feature is fully supported from CPython 3.12 onward.
     for member in tar.getmembers():
         fn = member.name
         if leading:
@@ -269,6 +286,14 @@ def _untar_without_filter(
         if member.isdir():
             ensure_dir(path)
         elif member.issym():
+            if not is_symlink_target_in_tar(tar, member):
+                message = (
+                    "The tar file ({}) has a file ({}) trying to install "
+                    "outside target directory ({})"
+                )
+                raise InstallationError(
+                    message.format(filename, member.name, member.linkname)
+                )
             try:
                 tar._extract_member(member, path)
             except Exception as exc:

pip/_internal/vcs/versioncontrol.py

@@ -62,8 +62,9 @@ def make_vcs_requirement_url(
       repo_url: the remote VCS url, with any needed VCS prefix (e.g. "git+").
       project_name: the (unescaped) project name.
     """
+    quoted_rev = urllib.parse.quote(rev, "/")
     egg_project_name = project_name.replace("-", "_")
-    req = f"{repo_url}@{rev}#egg={egg_project_name}"
+    req = f"{repo_url}@{quoted_rev}#egg={egg_project_name}"
     if subdir:
         req += f"&subdirectory={subdir}"
 
@@ -397,6 +398,7 @@ class VersionControl:
                     "which is not supported. Include a revision after @ "
                     "or remove @ from the URL."
                 )
+            rev = urllib.parse.unquote(rev)
         url = urllib.parse.urlunsplit((scheme, netloc, path, query, ""))
         return url, rev, user_pass
 

pip/_internal/wheel_builder.py

@@ -5,8 +5,8 @@ from __future__ import annotations
 import logging
 import os.path
 import re
-import shutil
 from collections.abc import Iterable
+from tempfile import TemporaryDirectory
 
 from pip._vendor.packaging.utils import canonicalize_name, canonicalize_version
 from pip._vendor.packaging.version import InvalidVersion, Version
@@ -18,13 +18,9 @@ from pip._internal.models.link import Link
 from pip._internal.models.wheel import Wheel
 from pip._internal.operations.build.wheel import build_wheel_pep517
 from pip._internal.operations.build.wheel_editable import build_wheel_editable
-from pip._internal.operations.build.wheel_legacy import build_wheel_legacy
 from pip._internal.req.req_install import InstallRequirement
 from pip._internal.utils.logging import indent_log
 from pip._internal.utils.misc import ensure_dir, hash_file
-from pip._internal.utils.setuptools_build import make_setuptools_clean_args
-from pip._internal.utils.subprocess import call_subprocess
-from pip._internal.utils.temp_dir import TempDirectory
 from pip._internal.utils.urls import path_to_url
 from pip._internal.vcs import vcs
 
@@ -43,37 +39,12 @@ def _contains_egg_info(s: str) -> bool:
     return bool(_egg_info_re.search(s))
 
 
-def _should_build(
-    req: InstallRequirement,
-) -> bool:
-    """Return whether an InstallRequirement should be built into a wheel."""
-    assert not req.constraint
-
-    if req.is_wheel:
-        return False
-
-    assert req.source_dir
-
-    if req.editable:
-        # we only build PEP 660 editable requirements
-        return req.supports_pyproject_editable
-
-    return True
-
-
-def should_build_for_install_command(
-    req: InstallRequirement,
-) -> bool:
-    return _should_build(req)
-
-
 def _should_cache(
     req: InstallRequirement,
 ) -> bool | None:
     """
     Return whether a built InstallRequirement can be stored in the persistent
-    wheel cache, assuming the wheel cache is available, and _should_build()
-    has determined a wheel needs to be built.
+    wheel cache, assuming the wheel cache is available.
     """
     if req.editable or not req.source_dir:
         # never cache editable requirements
@@ -118,7 +89,7 @@ def _get_cache_dir(
 def _verify_one(req: InstallRequirement, wheel_path: str) -> None:
     canonical_name = canonicalize_name(req.name or "")
     w = Wheel(os.path.basename(wheel_path))
-    if canonicalize_name(w.name) != canonical_name:
+    if w.name != canonical_name:
         raise InvalidWheelFilename(
             f"Wheel has unexpected file name: expected {canonical_name!r}, "
             f"got {w.name!r}",
@@ -148,8 +119,6 @@ def _build_one(
     req: InstallRequirement,
     output_dir: str,
     verify: bool,
-    build_options: list[str],
-    global_options: list[str],
     editable: bool,
 ) -> str | None:
     """Build one wheel.
@@ -170,9 +139,7 @@ def _build_one(
 
     # Install build deps into temporary directory (PEP 518)
     with req.build_env:
-        wheel_path = _build_one_inside_env(
-            req, output_dir, build_options, global_options, editable
-        )
+        wheel_path = _build_one_inside_env(req, output_dir, editable)
     if wheel_path and verify:
         try:
             _verify_one(req, wheel_path)
@@ -185,45 +152,25 @@ def _build_one(
 def _build_one_inside_env(
     req: InstallRequirement,
     output_dir: str,
-    build_options: list[str],
-    global_options: list[str],
     editable: bool,
 ) -> str | None:
-    with TempDirectory(kind="wheel") as temp_dir:
+    with TemporaryDirectory(dir=output_dir) as wheel_directory:
         assert req.name
-        if req.use_pep517:
-            assert req.metadata_directory
-            assert req.pep517_backend
-            if global_options:
-                logger.warning(
-                    "Ignoring --global-option when building %s using PEP 517", req.name
-                )
-            if build_options:
-                logger.warning(
-                    "Ignoring --build-option when building %s using PEP 517", req.name
-                )
-            if editable:
-                wheel_path = build_wheel_editable(
-                    name=req.name,
-                    backend=req.pep517_backend,
-                    metadata_directory=req.metadata_directory,
-                    tempd=temp_dir.path,
-                )
-            else:
-                wheel_path = build_wheel_pep517(
-                    name=req.name,
-                    backend=req.pep517_backend,
-                    metadata_directory=req.metadata_directory,
-                    tempd=temp_dir.path,
-                )
+        assert req.metadata_directory
+        assert req.pep517_backend
+        if editable:
+            wheel_path = build_wheel_editable(
+                name=req.name,
+                backend=req.pep517_backend,
+                metadata_directory=req.metadata_directory,
+                wheel_directory=wheel_directory,
+            )
         else:
-            wheel_path = build_wheel_legacy(
+            wheel_path = build_wheel_pep517(
                 name=req.name,
-                setup_py_path=req.setup_py_path,
-                source_dir=req.unpacked_source_directory,
-                global_options=global_options,
-                build_options=build_options,
-                tempd=temp_dir.path,
+                backend=req.pep517_backend,
+                metadata_directory=req.metadata_directory,
+                wheel_directory=wheel_directory,
             )
 
         if wheel_path is not None:
@@ -231,7 +178,11 @@ def _build_one_inside_env(
             dest_path = os.path.join(output_dir, wheel_name)
             try:
                 wheel_hash, length = hash_file(wheel_path)
-                shutil.move(wheel_path, dest_path)
+                # We can do a replace here because wheel_path is guaranteed to
+                # be in the same filesystem as output_dir. This will perform an
+                # atomic rename, which is necessary to avoid concurrency issues
+                # when populating the cache.
+                os.replace(wheel_path, dest_path)
                 logger.info(
                     "Created wheel for %s: filename=%s size=%d sha256=%s",
                     req.name,
@@ -247,35 +198,13 @@ def _build_one_inside_env(
                     req.name,
                     e,
                 )
-        # Ignore return, we can't do anything else useful.
-        if not req.use_pep517:
-            _clean_one_legacy(req, global_options)
         return None
 
 
-def _clean_one_legacy(req: InstallRequirement, global_options: list[str]) -> bool:
-    clean_args = make_setuptools_clean_args(
-        req.setup_py_path,
-        global_options=global_options,
-    )
-
-    logger.info("Running setup.py clean for %s", req.name)
-    try:
-        call_subprocess(
-            clean_args, command_desc="python setup.py clean", cwd=req.source_dir
-        )
-        return True
-    except Exception:
-        logger.error("Failed cleaning build dir for %s", req.name)
-        return False
-
-
 def build(
     requirements: Iterable[InstallRequirement],
     wheel_cache: WheelCache,
     verify: bool,
-    build_options: list[str],
-    global_options: list[str],
 ) -> BuildResult:
     """Build wheels.
 
@@ -300,8 +229,6 @@ def build(
                 req,
                 cache_dir,
                 verify,
-                build_options,
-                global_options,
                 req.editable and req.permit_editable_wheels,
             )
             if wheel_file:

pip/_vendor/README.rst

@@ -0,0 +1,180 @@
+================
+Vendoring Policy
+================
+
+* Vendored libraries **MUST** not be modified except as required to
+  successfully vendor them.
+* Vendored libraries **MUST** be released copies of libraries available on
+  PyPI.
+* Vendored libraries **MUST** be available under a license that allows
+  them to be integrated into ``pip``, which is released under the MIT license.
+* Vendored libraries **MUST** be accompanied with LICENSE files.
+* The versions of libraries vendored in pip **MUST** be reflected in
+  ``pip/_vendor/vendor.txt``.
+* Vendored libraries **MUST** function without any build steps such as ``2to3``
+  or compilation of C code, practically this limits to single source 2.x/3.x and
+  pure Python.
+* Any modifications made to libraries **MUST** be noted in
+  ``pip/_vendor/README.rst`` and their corresponding patches **MUST** be
+  included ``tools/vendoring/patches``.
+* Vendored libraries should have corresponding ``vendored()`` entries in
+  ``pip/_vendor/__init__.py``.
+
+Rationale
+=========
+
+Historically pip has not had any dependencies except for ``setuptools`` itself,
+choosing instead to implement any functionality it needed to prevent needing
+a dependency. However, starting with pip 1.5, we began to replace code that was
+implemented inside of pip with reusable libraries from PyPI. This brought the
+typical benefits of reusing libraries instead of reinventing the wheel like
+higher quality and more battle tested code, centralization of bug fixes
+(particularly security sensitive ones), and better/more features for less work.
+
+However, there are several issues with having dependencies in the traditional
+way (via ``install_requires``) for pip. These issues are:
+
+**Fragility**
+   When pip depends on another library to function then if for whatever reason
+   that library either isn't installed or an incompatible version is installed
+   then pip ceases to function. This is of course true for all Python
+   applications, however for every application *except* for pip the way you fix
+   it is by re-running pip. Obviously, when pip can't run, you can't use pip to
+   fix pip, so you're left having to manually resolve dependencies and
+   installing them by hand.
+
+**Making other libraries uninstallable**
+   One of pip's current dependencies is the ``requests`` library, for which pip
+   requires a fairly recent version to run.  If pip depended on ``requests`` in
+   the traditional manner, then we'd either have to maintain compatibility with
+   every ``requests`` version that has ever existed (and ever will), OR allow
+   pip to render certain versions of ``requests`` uninstallable. (The second
+   issue, although technically true for any Python application, is magnified by
+   pip's ubiquity; pip is installed by default in Python, in ``pyvenv``, and in
+   ``virtualenv``.)
+
+**Security**
+   This might seem puzzling at first glance, since vendoring has a tendency to
+   complicate updating dependencies for security updates, and that holds true
+   for pip. However, given the *other* reasons for avoiding dependencies, the
+   alternative is for pip to reinvent the wheel itself.  This is what pip did
+   historically. It forced pip to re-implement its own HTTPS verification
+   routines as a workaround for the Python standard library's lack of SSL
+   validation, which resulted in similar bugs in the validation routine in
+   ``requests`` and ``urllib3``, except that they had to be discovered and
+   fixed independently. Even though we're vendoring, reusing libraries keeps
+   pip more secure by relying on the great work of our dependencies, *and*
+   allowing for faster, easier security fixes by simply pulling in newer
+   versions of dependencies.
+
+**Bootstrapping**
+   Currently most popular methods of installing pip rely on pip's
+   self-contained nature to install pip itself. These tools work by bundling a
+   copy of pip, adding it to ``sys.path``, and then executing that copy of pip.
+   This is done instead of implementing a "mini installer" (to reduce
+   duplication); pip already knows how to install a Python package, and is far
+   more battle-tested than any "mini installer" could ever possibly be.
+
+Many downstream redistributors have policies against this kind of bundling, and
+instead opt to patch the software they distribute to debundle it and make it
+rely on the global versions of the software that they already have packaged
+(which may have its own patches applied to it). We (the pip team) would prefer
+it if pip was *not* debundled in this manner due to the above reasons and
+instead we would prefer it if pip would be left intact as it is now.
+
+In the longer term, if someone has a *portable* solution to the above problems,
+other than the bundling method we currently use, that doesn't add additional
+problems that are unreasonable then we would be happy to consider, and possibly
+switch to said method. This solution must function correctly across all of the
+situation that we expect pip to be used and not mandate some external mechanism
+such as OS packages.
+
+
+Modifications
+=============
+
+* ``setuptools`` is completely stripped to only keep ``pkg_resources``.
+* ``pkg_resources`` has been modified to import its dependencies from
+  ``pip._vendor``, and to use the vendored copy of ``platformdirs``
+  rather than ``appdirs``.
+* ``packaging`` has been modified to import its dependencies from
+  ``pip._vendor``.
+* ``CacheControl`` has been modified to import its dependencies from
+  ``pip._vendor``.
+* ``requests`` has been modified to import its other dependencies from
+  ``pip._vendor`` and to *not* load ``simplejson`` (all platforms) and
+  ``pyopenssl`` (Windows).
+* ``platformdirs`` has been modified to import its submodules from ``pip._vendor.platformdirs``.
+
+Automatic Vendoring
+===================
+
+Vendoring is automated via the `vendoring <https://pypi.org/project/vendoring/>`_ tool from the content of
+``pip/_vendor/vendor.txt`` and the different patches in
+``tools/vendoring/patches``.
+Launch it via ``vendoring sync . -v`` (requires ``vendoring>=0.2.2``).
+Tool configuration is done via ``pyproject.toml``.
+
+To update the vendored library versions, we have a session defined in ``nox``.
+The command to upgrade everything is::
+
+    nox -s vendoring -- --upgrade-all --skip urllib3 --skip setuptools
+
+At the time of writing (April 2025) we do not upgrade ``urllib3`` because the
+next version is a major upgrade and will be handled as an independent PR. We also
+do not upgrade ``setuptools``, because we only rely on ``pkg_resources``, and
+tracking every ``setuptools`` change is unnecessary for our needs.
+
+
+Managing Local Patches
+======================
+
+The ``vendoring`` tool automatically applies our local patches, but updating,
+the patches sometimes no longer apply cleanly. In that case, the update will
+fail. To resolve this, take the following steps:
+
+1. Revert any incomplete changes in the revendoring branch, to ensure you have
+   a clean starting point.
+2. Run the revendoring of the library with a problem again: ``nox -s vendoring
+   -- --upgrade <library_name>``.
+3. This will fail again, but you will have the original source in your working
+   directory. Review the existing patch against the source, and modify the patch
+   to reflect the new version of the source. If you ``git add`` the changes the
+   vendoring made, you can modify the source to reflect the patch file and then
+   generate a new patch with ``git diff``.
+4. Now, revert everything *except* the patch file changes. Leave the modified
+   patch file unstaged but saved in the working tree.
+5. Re-run the vendoring. This time, it should pick up the changed patch file
+   and apply it cleanly. The patch file changes will be committed along with the
+   revendoring, so the new commit should be ready to test and publish as a PR.
+
+
+Debundling
+==========
+
+As mentioned in the rationale, we, the pip team, would prefer it if pip was not
+debundled (other than optionally ``pip/_vendor/requests/cacert.pem``) and that
+pip was left intact. However, if you insist on doing so, we have a
+semi-supported method (that we don't test in our CI) and requires a bit of
+extra work on your end in order to solve the problems described above.
+
+1. Delete everything in ``pip/_vendor/`` **except** for
+   ``pip/_vendor/__init__.py`` and ``pip/_vendor/vendor.txt``.
+2. Generate wheels for each of pip's dependencies (and any of their
+   dependencies) using your patched copies of these libraries. These must be
+   placed somewhere on the filesystem that pip can access (``pip/_vendor`` is
+   the default assumption).
+3. Modify ``pip/_vendor/__init__.py`` so that the ``DEBUNDLED`` variable is
+   ``True``.
+4. Upon installation, the ``INSTALLER`` file in pip's own ``dist-info``
+   directory should be set to something other than ``pip``, so that pip
+   can detect that it wasn't installed using itself.
+5. *(optional)* If you've placed the wheels in a location other than
+   ``pip/_vendor/``, then modify ``pip/_vendor/__init__.py`` so that the
+   ``WHEEL_DIR`` variable points to the location you've placed them.
+6. *(optional)* Update the ``pip_self_version_check`` logic to use the
+   appropriate logic for determining the latest available version of pip and
+   prompt the user with the correct upgrade message.
+
+Note that partial debundling is **NOT** supported. You need to prepare wheels
+for all dependencies for successful debundling.

pip/_vendor/cachecontrol/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright 2012-2021  Eric Larson
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

pip/_vendor/cachecontrol/__init__.py

@@ -7,14 +7,17 @@
 Make it easy to import from cachecontrol without long namespaces.
 """
 
-__author__ = "Eric Larson"
-__email__ = "eric@ionrock.org"
-__version__ = "0.14.3"
+import importlib.metadata
 
 from pip._vendor.cachecontrol.adapter import CacheControlAdapter
 from pip._vendor.cachecontrol.controller import CacheController
 from pip._vendor.cachecontrol.wrapper import CacheControl
 
+__author__ = "Eric Larson"
+__email__ = "eric@ionrock.org"
+# pip patch: this won't work when vendored, so just patch it out as it's unused
+# __version__ = importlib.metadata.version("cachecontrol")
+
 __all__ = [
     "__author__",
     "__email__",

pip/_vendor/cachecontrol/adapter.py

@@ -4,7 +4,6 @@
 from __future__ import annotations
 
 import functools
-import types
 import weakref
 import zlib
 from typing import TYPE_CHECKING, Any, Collection, Mapping

pip/_vendor/cachecontrol/controller.py

@@ -490,7 +490,7 @@ class CacheController:
         #
         # The server isn't supposed to send headers that would make
         # the cached body invalid. But... just in case, we'll be sure
-        # to strip out ones we know that might be problmatic due to
+        # to strip out ones we know that might be problematic due to
         # typical assumptions.
         excluded_headers = ["content-length"]
 

pip/_vendor/cachecontrol/filewrapper.py

@@ -8,6 +8,7 @@ from tempfile import NamedTemporaryFile
 from typing import TYPE_CHECKING, Any, Callable
 
 if TYPE_CHECKING:
+    from collections.abc import Buffer
     from http.client import HTTPResponse
 
 
@@ -31,7 +32,7 @@ class CallbackFileWrapper:
     """
 
     def __init__(
-        self, fp: HTTPResponse, callback: Callable[[bytes], None] | None
+        self, fp: HTTPResponse, callback: Callable[[Buffer], None] | None
     ) -> None:
         self.__buf = NamedTemporaryFile("rb+", delete=True)
         self.__fp = fp
@@ -68,6 +69,7 @@ class CallbackFileWrapper:
         return False
 
     def _close(self) -> None:
+        result: Buffer
         if self.__callback:
             if self.__buf.tell() == 0:
                 # Empty file:

pip/_vendor/certifi/LICENSE

@@ -0,0 +1,20 @@
+This package contains a modified version of ca-bundle.crt:
+
+ca-bundle.crt -- Bundle of CA Root Certificates
+
+This is a bundle of X.509 certificates of public Certificate Authorities
+(CA). These were automatically extracted from Mozilla's root certificates
+file (certdata.txt).  This file can be found in the mozilla source tree:
+https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
+It contains the certificates in PEM format and therefore
+can be directly used with curl / libcurl / php_curl, or with
+an Apache+mod_ssl webserver for SSL client authentication.
+Just configure this file as the SSLCACertificateFile.#
+
+***** BEGIN LICENSE BLOCK *****
+This Source Code Form is subject to the terms of the Mozilla Public License,
+v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
+one at http://mozilla.org/MPL/2.0/.
+
+***** END LICENSE BLOCK *****
+@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $

pip/_vendor/certifi/__init__.py

@@ -1,4 +1,4 @@
 from .core import contents, where
 
 __all__ = ["contents", "where"]
-__version__ = "2025.07.14"
+__version__ = "2026.01.04"