virtualenv 21.2.2__tar.gz → 21.2.4__tar.gz

{virtualenv-21.2.2 → virtualenv-21.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: virtualenv
-Version: 21.2.2
+Version: 21.2.4
 Summary: Virtual Python Environment builder
 Project-URL: Documentation, https://virtualenv.pypa.io
 Project-URL: Homepage, https://github.com/pypa/virtualenv

{virtualenv-21.2.2 → virtualenv-21.2.4}/src/virtualenv/seed/embed/via_app_data/pip_install/base.py

@@ -1,7 +1,9 @@
 from __future__ import annotations
 
 import logging
+import ntpath
 import os
+import posixpath
 import re
 import zipfile
 from abc import ABC, abstractmethod
@@ -21,6 +23,24 @@ if TYPE_CHECKING:
 LOGGER = logging.getLogger(__name__)
 
 
+def _safe_extract_zip(zip_ref: zipfile.ZipFile, target_dir: Path) -> None:
+    # Guard against zip slip: a wheel is a zip and a tampered entry name (absolute path or one containing ``..``)
+    # could escape ``target_dir``.
+    base = target_dir.resolve()
+    for info in zip_ref.infolist():
+        name = info.filename
+        if name.startswith(("/", "\\")) or ntpath.isabs(name) or posixpath.isabs(name):
+            msg = f"refusing to extract absolute path entry from wheel: {name!r}"
+            raise RuntimeError(msg)
+        candidate = (base / name).resolve()
+        try:
+            candidate.relative_to(base)
+        except ValueError as exc:
+            msg = f"refusing to extract entry escaping target directory: {name!r}"
+            raise RuntimeError(msg) from exc
+    zip_ref.extractall(str(target_dir))
+
+
 class PipInstall(ABC):
     def __init__(self, wheel: Path, creator: Creator, image_folder: Path) -> None:
         self._wheel = wheel
@@ -49,11 +69,19 @@ class PipInstall(ABC):
         LOGGER.debug("generated console scripts %s", " ".join(i.name for i in consoles))
 
     def build_image(self) -> None:
+        """Extract the seed wheel into the image directory and fix up its RECORD file.
+
+        Each archive entry is validated before extraction so a tampered wheel cannot escape the image directory via an
+        absolute path or ``..`` traversal.
+
+        :raises RuntimeError: if the wheel contains an entry that would land outside the image directory.
+
+        """
         # 1. first extract the wheel
         LOGGER.debug("build install image for %s to %s", self._wheel.name, self._image_dir)
         with zipfile.ZipFile(str(self._wheel)) as zip_ref:
             self._shorten_path_if_needed(zip_ref)
-            zip_ref.extractall(str(self._image_dir))
+            _safe_extract_zip(zip_ref, self._image_dir)
             self._extracted = True
         # 2. now add additional files not present in the distribution
         new_files = self._generate_new_files()

{virtualenv-21.2.2 → virtualenv-21.2.4}/src/virtualenv/seed/wheels/acquire.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import logging
+import re
 import sys
 from operator import eq, lt
 from pathlib import Path
@@ -18,6 +19,34 @@ if TYPE_CHECKING:
 
 LOGGER = logging.getLogger(__name__)
 
+# PEP 503 normalized distribution name. Anything outside this character set on the way to ``pip download`` means
+# somebody is smuggling pip options or extras, so reject it before we build the command line.
+_DISTRIBUTION_RE = re.compile(
+    r"""
+    ^
+    (?P<name>
+        [A-Za-z0-9]                 # must start with an alnum
+        (?:[A-Za-z0-9._-]*           # inner chars: alnum plus . _ -
+           [A-Za-z0-9])?             # must also end with an alnum (unless length is 1)
+    )
+    $
+    """,
+    re.VERBOSE,
+)
+
+# Version specifier that matches what ``Version.as_version_spec`` emits: either empty, ``==<ver>`` or ``<<ver>`` where
+# ``<ver>`` is a subset of PEP 440 public versions. Kept deliberately strict so a crafted version cannot inject pip
+# flags.
+_VERSION_SPEC_RE = re.compile(
+    r"""
+    ^
+    (?P<operator>==|<)              # only the operators Version.as_version_spec can emit
+    (?P<version>[A-Za-z0-9._+!-]+)  # PEP 440 public-version character set, no whitespace
+    $
+    """,
+    re.VERBOSE,
+)
+
 
 def get_wheel(  # noqa: PLR0913
     distribution: str,
@@ -63,6 +92,26 @@ def download_wheel(  # noqa: PLR0913
     to_folder: Path,
     env: dict[str, str],
 ) -> Wheel:
+    """Invoke ``pip download`` in a subprocess to fetch a seed wheel.
+
+    :param distribution: PEP 503 normalized project name; rejected if it contains anything other than
+        ``[A-Za-z0-9._-]``.
+    :param version_spec: optional version specifier of the form ``==<ver>`` or ``<<ver>`` as emitted by
+        :func:`Version.as_version_spec`, or ``None``/empty for the latest compatible release.
+    :param for_py_version: major.minor Python version to pass through to ``pip --python-version``.
+    :param search_dirs: additional directories to treat as a local wheel index when bootstrapping pip.
+    :param app_data: application data store used to locate the embedded pip wheel.
+    :param to_folder: directory the downloaded wheel is written into.
+    :param env: environment mapping passed through to the subprocess.
+
+    :returns: the downloaded :class:`Wheel`.
+
+    :raises ValueError: if ``distribution`` or ``version_spec`` fail the strict allow-list check.
+    :raises CalledProcessError: if ``pip download`` exits with a non-zero status.
+
+    """
+    _check_distribution(distribution)
+    _check_version_spec(version_spec)
     to_download = f"{distribution}{version_spec or ''}"
     LOGGER.debug("download wheel %s %s to %s", to_download, for_py_version, to_folder)
     cmd = [
@@ -143,6 +192,20 @@ def pip_wheel_env_run(search_dirs: list[Path], app_data: AppData, env: dict[str,
     return env
 
 
+def _check_distribution(distribution: str) -> None:
+    if not _DISTRIBUTION_RE.fullmatch(distribution):
+        msg = f"refusing to download wheel for suspicious distribution name: {distribution!r}"
+        raise ValueError(msg)
+
+
+def _check_version_spec(version_spec: str | None) -> None:
+    if not version_spec:
+        return
+    if not _VERSION_SPEC_RE.fullmatch(version_spec):
+        msg = f"refusing to download wheel with suspicious version spec: {version_spec!r}"
+        raise ValueError(msg)
+
+
 __all__ = [
     "download_wheel",
     "get_wheel",

virtualenv-21.2.4/src/virtualenv/seed/wheels/embed/__init__.py

@@ -0,0 +1,119 @@
+from __future__ import annotations
+
+import hashlib
+import zipfile
+from pathlib import Path
+
+from virtualenv.info import IS_ZIPAPP, ROOT
+from virtualenv.seed.wheels.util import Wheel
+
+BUNDLE_FOLDER = Path(__file__).absolute().parent
+BUNDLE_SUPPORT = {
+    "3.8": {
+        "pip": "pip-25.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-75.3.4-py3-none-any.whl",
+        "wheel": "wheel-0.45.1-py3-none-any.whl",
+    },
+    "3.9": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.10": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.11": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.12": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.13": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.14": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+    "3.15": {
+        "pip": "pip-26.0.1-py3-none-any.whl",
+        "setuptools": "setuptools-82.0.1-py3-none-any.whl",
+    },
+}
+MAX = "3.8"
+
+# SHA-256 of every bundled wheel. Verified on load so a corrupted or tampered wheel on disk fails loud instead of
+# being handed to pip. Generated together with ``BUNDLE_SUPPORT`` by ``tasks/upgrade_wheels.py``.
+BUNDLE_SHA256 = {
+    "pip-25.0.1-py3-none-any.whl": "c46efd13b6aa8279f33f2864459c8ce587ea6a1a59ee20de055868d8f7688f7f",
+    "pip-26.0.1-py3-none-any.whl": "bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b",
+    "setuptools-75.3.4-py3-none-any.whl": "2dd50a7f42dddfa1d02a36f275dbe716f38ed250224f609d35fb60a09593d93e",
+    "setuptools-82.0.1-py3-none-any.whl": "a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb",
+    "wheel-0.45.1-py3-none-any.whl": "708e7481cc80179af0e556bbf0cc00b8444c7321e2700b8d8580231d13017248",
+}
+
+_VERIFIED_WHEELS: set[str] = set()
+
+
+def get_embed_wheel(distribution: str, for_py_version: str) -> Wheel | None:
+    """Return the bundled wheel that ships with virtualenv for a given distribution and Python version.
+
+    :param distribution: project name of the seed package, for example ``pip`` or ``setuptools``.
+    :param for_py_version: major.minor Python version string the environment will be created for.
+
+    :returns: a :class:`Wheel` pointing at the verified bundled file, or ``None`` when no wheel is bundled for the
+        requested combination.
+
+    :raises RuntimeError: if the bundled wheel on disk fails SHA-256 verification.
+
+    """
+    mapping = BUNDLE_SUPPORT.get(for_py_version, {}) or BUNDLE_SUPPORT[MAX]
+    wheel_file = mapping.get(distribution)
+    if wheel_file is None:
+        return None
+    path = BUNDLE_FOLDER / wheel_file
+    _verify_bundled_wheel(path)
+    return Wheel.from_path(path)
+
+
+def _verify_bundled_wheel(path: Path) -> None:
+    name = path.name
+    if name in _VERIFIED_WHEELS:
+        return
+    expected = BUNDLE_SHA256.get(name)
+    if expected is None:
+        msg = f"bundled wheel {name} has no recorded sha256 in BUNDLE_SHA256"
+        raise RuntimeError(msg)
+    actual = _hash_bundled_wheel(path)
+    if actual != expected:
+        msg = f"bundled wheel {name} sha256 mismatch: expected {expected}, got {actual}"
+        raise RuntimeError(msg)
+    _VERIFIED_WHEELS.add(name)
+
+
+def _hash_bundled_wheel(path: Path) -> str:
+    # ``path`` is under the package directory; when virtualenv runs from a zipapp the wheel lives inside the
+    # archive and cannot be opened as a regular file, so read the bytes straight from the zipapp entry.
+    digest = hashlib.sha256()
+    if IS_ZIPAPP:
+        entry = path.resolve().relative_to(Path(ROOT).resolve()).as_posix()
+        with zipfile.ZipFile(ROOT, "r") as archive, archive.open(entry) as stream:
+            for chunk in iter(lambda: stream.read(1 << 20), b""):
+                digest.update(chunk)
+    else:
+        with path.open("rb") as stream:
+            for chunk in iter(lambda: stream.read(1 << 20), b""):
+                digest.update(chunk)
+    return digest.hexdigest()
+
+
+__all__ = [
+    "BUNDLE_FOLDER",
+    "BUNDLE_SHA256",
+    "BUNDLE_SUPPORT",
+    "MAX",
+    "get_embed_wheel",
+]

{virtualenv-21.2.2 → virtualenv-21.2.4}/src/virtualenv/seed/wheels/periodic_update.py

@@ -360,10 +360,20 @@ def release_date_for_wheel_path(dest: Path) -> datetime | None:
     return None
 
 
+#: Opt-in escape hatch to restore the pre-2026 behavior of falling back to an unverified HTTPS context when the
+#: verified request fails. Off by default: a failed TLS handshake on the PyPI metadata lookup now aborts the update
+#: instead of silently downgrading, because the response drives which wheel version virtualenv thinks is up to date.
+_INSECURE_FALLBACK_ENV = "VIRTUALENV_PERIODIC_UPDATE_INSECURE"
+
+
 def _request_context() -> Generator[ssl.SSLContext | None, None, None]:
     yield None
-    # fallback to non verified HTTPS (the information we request is not sensitive, so fallback)
-    yield ssl._create_unverified_context()  # noqa: S323, SLF001
+    if os.environ.get(_INSECURE_FALLBACK_ENV):
+        LOGGER.warning(
+            "falling back to unverified HTTPS for PyPI metadata because %s is set",
+            _INSECURE_FALLBACK_ENV,
+        )
+        yield ssl._create_unverified_context()  # noqa: S323, SLF001
 
 
 _PYPI_CACHE = {}

{virtualenv-21.2.2 → virtualenv-21.2.4}/src/virtualenv/util/zipapp.py

@@ -1,14 +1,10 @@
 from __future__ import annotations
 
 import logging
-import os
 import zipfile
-from typing import TYPE_CHECKING
+from pathlib import Path
 
-from virtualenv.info import IS_WIN, ROOT
-
-if TYPE_CHECKING:
-    from pathlib import Path
+from virtualenv.info import ROOT
 
 LOGGER = logging.getLogger(__name__)
 
@@ -29,16 +25,18 @@ def extract(full_path: str | Path, dest: Path) -> None:
 
 
 def _get_path_within_zip(full_path: str | Path) -> str:
-    full_path = os.path.realpath(os.path.abspath(str(full_path)))
-    prefix = f"{ROOT}{os.sep}"
-    if not full_path.startswith(prefix):
-        msg = f"full_path={full_path} should start with prefix={prefix}."
-        raise RuntimeError(msg)
-    sub_file = full_path[len(prefix) :]
-    if IS_WIN:
-        # paths are always UNIX separators, even on Windows, though __file__ still follows platform default
-        sub_file = sub_file.replace(os.sep, "/")
-    return sub_file
+    # Use Path.relative_to so symlinks and ``..`` segments cannot slip through a string ``startswith`` check. The zipapp
+    # root is a real file we own so ``resolve`` is safe; anything that does not resolve under ROOT is a bug or an
+    # attempt to escape the archive and we refuse it.
+    resolved = Path(full_path).resolve()
+    root = Path(ROOT).resolve()
+    try:
+        relative = resolved.relative_to(root)
+    except ValueError as exc:
+        msg = f"full_path={resolved} should be within ROOT={root}"
+        raise RuntimeError(msg) from exc
+    # Zip entries always use forward slashes regardless of platform.
+    return relative.as_posix()
 
 
 __all__ = [

{virtualenv-21.2.2 → virtualenv-21.2.4}/src/virtualenv/version.py

@@ -18,7 +18,7 @@ version_tuple: tuple[int | str, ...]
 commit_id: str | None
 __commit_id__: str | None
 
-__version__ = version = '21.2.2'
-__version_tuple__ = version_tuple = (21, 2, 2)
+__version__ = version = '21.2.4'
+__version_tuple__ = version_tuple = (21, 2, 4)
 
 __commit_id__ = commit_id = None

virtualenv-21.2.4/tasks/upgrade_wheels.py

@@ -0,0 +1,265 @@
+"""Helper script to rebuild virtualenv_support. Downloads the wheel files using pip."""
+
+from __future__ import annotations
+
+import ast
+import hashlib
+import os
+import shutil
+import subprocess
+import sys
+from collections import OrderedDict, defaultdict
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from textwrap import dedent
+from threading import Thread
+from typing import NoReturn
+
+STRICT = "UPGRADE_ADVISORY" not in os.environ
+
+BUNDLED = ["pip", "setuptools", "wheel"]
+SUPPORT = [(3, i) for i in range(8, 16)]
+DEST = Path(__file__).resolve().parents[1] / "src" / "virtualenv" / "seed" / "wheels" / "embed"
+
+
+def run() -> NoReturn:
+    if "--regen" in sys.argv[1:]:
+        render_init()
+        raise SystemExit(0)
+    old_batch = {i.name for i in DEST.iterdir() if i.suffix == ".whl"}
+    with TemporaryDirectory() as temp:
+        folders = _download_all(Path(temp))
+        new_batch = {i.name: i for f in folders for i in Path(f).iterdir()}
+        new_packages = new_batch.keys() - old_batch
+        remove_packages = old_batch - new_batch.keys()
+        _sync_dest(new_packages, remove_packages, new_batch)
+        added = collect_package_versions(new_packages)
+        removed = collect_package_versions(remove_packages)
+        outcome = (1 if STRICT else 0) if (added or removed) else 0
+        print(f"Outcome {outcome} added {added} removed {removed}")  # noqa: T201
+        _write_changelog(added, removed)
+        render_init(folders=folders)
+        raise SystemExit(outcome)
+
+
+def _download_all(temp_path: Path) -> dict[Path, str]:
+    folders: dict[Path, str] = {}
+    targets: list[Thread] = []
+    for support in SUPPORT:
+        support_ver = ".".join(str(i) for i in support)
+        into = temp_path / support_ver
+        into.mkdir()
+        folders[into] = support_ver
+        for package in BUNDLED:
+            if package == "wheel" and support >= (3, 9):
+                continue
+            thread = Thread(target=download, args=(support_ver, str(into), package))
+            targets.append(thread)
+            thread.start()
+    for thread in targets:
+        thread.join()
+    return folders
+
+
+def _sync_dest(new_packages: set[str], remove_packages: set[str], new_batch: dict[str, Path]) -> None:
+    for package in remove_packages:
+        (DEST / package).unlink()
+    for package in new_packages:
+        shutil.copy2(str(new_batch[package]), DEST / package)
+
+
+def _write_changelog(added: dict[str, list[str]], removed: dict[str, list[str]]) -> None:
+    lines = ["Upgrade embedded wheels:", ""]
+    for key, versions in added.items():
+        text = f"* {key} to {fmt_version(versions)}"
+        if key in removed:
+            rem = ", ".join(f"``{i}``" for i in removed[key])
+            text += f" from {rem}"
+            del removed[key]
+        lines.append(text)
+    for key, versions in removed.items():
+        lines.append(f"Removed {key} of {fmt_version(versions)}")
+    lines.append("")
+    changelog = "\n".join(lines)
+    print(changelog)  # noqa: T201
+    if len(lines) >= 4:  # noqa: PLR2004
+        (Path(__file__).parents[1] / "docs" / "changelog" / "u.bugfix.rst").write_text(changelog, encoding="utf-8")
+
+
+def render_init(folders: dict[Path, str] | None = None) -> None:
+    """Write ``embed/__init__.py`` from the wheels currently in DEST.
+
+    When called from ``run()`` after a download round, ``folders`` maps each per-python-version temp folder to its
+    version string, which is how support for a wheel is determined. When called with ``--regen`` there are no downloaded
+    folders — the existing ``BUNDLE_SUPPORT`` from the current ``__init__.py`` is used so regeneration is deterministic.
+
+    """
+    if folders is None:
+        support_table = _support_table_from_existing_init()
+    else:
+        present = {i.name: i for f in folders for i in Path(f).iterdir() if i.suffix == ".whl"}
+        support_table = OrderedDict((".".join(str(j) for j in i), []) for i in SUPPORT)
+        for package in sorted(present):
+            for folder, version in sorted(folders.items()):
+                if (folder / package).exists():
+                    support_table[version].append(package)
+        support_table = OrderedDict((k, OrderedDict((i.split("-")[0], i) for i in v)) for k, v in support_table.items())
+    wheel_names = sorted({wheel for mapping in support_table.values() for wheel in mapping.values()})
+    sha_table = OrderedDict((name, _sha256(DEST / name)) for name in wheel_names)
+    nl = "\n"
+    bundle = "".join(
+        f"\n        {v!r}: {{{nl}{''.join(f'            {p!r}: {f!r},{nl}' for p, f in line.items())}        }},"
+        for v, line in support_table.items()
+    )
+    sha_block = "".join(f"\n        {name!r}: {digest!r}," for name, digest in sha_table.items())
+    msg = dedent(
+        f"""
+    from __future__ import annotations
+
+    import hashlib
+    import zipfile
+    from pathlib import Path
+
+    from virtualenv.info import IS_ZIPAPP, ROOT
+    from virtualenv.seed.wheels.util import Wheel
+
+    BUNDLE_FOLDER = Path(__file__).absolute().parent
+    BUNDLE_SUPPORT = {{ {bundle} }}
+    MAX = {next(iter(support_table.keys()))!r}
+
+    # SHA-256 of every bundled wheel. Verified on load so a corrupted or tampered wheel on disk fails loud instead of
+    # being handed to pip. Generated together with ``BUNDLE_SUPPORT`` by ``tasks/upgrade_wheels.py``.
+    BUNDLE_SHA256 = {{ {sha_block} }}
+
+    _VERIFIED_WHEELS: set[str] = set()
+
+
+    def get_embed_wheel(distribution: str, for_py_version: str) -> Wheel | None:
+        \"\"\"Return the bundled wheel that ships with virtualenv for a given distribution and Python version.
+
+        :param distribution: project name of the seed package, for example ``pip`` or ``setuptools``.
+        :param for_py_version: major.minor Python version string the environment will be created for.
+
+        :returns: a :class:`Wheel` pointing at the verified bundled file, or ``None`` when no wheel is bundled for the
+            requested combination.
+
+        :raises RuntimeError: if the bundled wheel on disk fails SHA-256 verification.
+
+        \"\"\"
+        mapping = BUNDLE_SUPPORT.get(for_py_version, {{}}) or BUNDLE_SUPPORT[MAX]
+        wheel_file = mapping.get(distribution)
+        if wheel_file is None:
+            return None
+        path = BUNDLE_FOLDER / wheel_file
+        _verify_bundled_wheel(path)
+        return Wheel.from_path(path)
+
+
+    def _verify_bundled_wheel(path: Path) -> None:
+        name = path.name
+        if name in _VERIFIED_WHEELS:
+            return
+        expected = BUNDLE_SHA256.get(name)
+        if expected is None:
+            msg = f"bundled wheel {{name}} has no recorded sha256 in BUNDLE_SHA256"
+            raise RuntimeError(msg)
+        actual = _hash_bundled_wheel(path)
+        if actual != expected:
+            msg = f"bundled wheel {{name}} sha256 mismatch: expected {{expected}}, got {{actual}}"
+            raise RuntimeError(msg)
+        _VERIFIED_WHEELS.add(name)
+
+
+    def _hash_bundled_wheel(path: Path) -> str:
+        # ``path`` is under the package directory; when virtualenv runs from a zipapp the wheel lives inside the
+        # archive and cannot be opened as a regular file, so read the bytes straight from the zipapp entry.
+        digest = hashlib.sha256()
+        if IS_ZIPAPP:
+            entry = path.resolve().relative_to(Path(ROOT).resolve()).as_posix()
+            with zipfile.ZipFile(ROOT, "r") as archive, archive.open(entry) as stream:
+                for chunk in iter(lambda: stream.read(1 << 20), b""):
+                    digest.update(chunk)
+        else:
+            with path.open("rb") as stream:
+                for chunk in iter(lambda: stream.read(1 << 20), b""):
+                    digest.update(chunk)
+        return digest.hexdigest()
+
+
+    __all__ = [
+        "BUNDLE_FOLDER",
+        "BUNDLE_SHA256",
+        "BUNDLE_SUPPORT",
+        "MAX",
+        "get_embed_wheel",
+    ]
+
+    """,
+    )
+    dest_target = DEST / "__init__.py"
+    dest_target.write_text(msg, encoding="utf-8")
+    subprocess.run([sys.executable, "-m", "ruff", "check", str(dest_target), "--fix", "--unsafe-fixes"], check=False)
+    subprocess.run([sys.executable, "-m", "ruff", "format", str(dest_target), "--preview"], check=False)
+
+
+def _support_table_from_existing_init() -> OrderedDict[str, OrderedDict[str, str]]:
+    source = (DEST / "__init__.py").read_text(encoding="utf-8")
+    tree = ast.parse(source)
+    for node in tree.body:
+        if isinstance(node, ast.Assign) and any(
+            isinstance(t, ast.Name) and t.id == "BUNDLE_SUPPORT" for t in node.targets
+        ):
+            bundle_support = ast.literal_eval(node.value)
+            return OrderedDict(
+                (version, OrderedDict(sorted(mapping.items()))) for version, mapping in bundle_support.items()
+            )
+    msg = f"BUNDLE_SUPPORT not found in {DEST / '__init__.py'}"
+    raise RuntimeError(msg)
+
+
+def _sha256(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as stream:
+        for chunk in iter(lambda: stream.read(1 << 20), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def fmt_version(versions: list[str]) -> str:
+    return ", ".join(f"``{v}``" for v in versions)
+
+
+def collect_package_versions(new_packages: set[str]) -> dict[str, list[str]]:
+    result = defaultdict(list)
+    for package in new_packages:
+        split = package.split("-")
+        if len(split) < 2:  # noqa: PLR2004
+            raise ValueError(package)
+        key, version = split[0:2]
+        result[key].append(version)
+    return result
+
+
+def download(python_version: str, dest: str, package: str) -> None:
+    subprocess.call(
+        [
+            sys.executable,
+            "-W",
+            "ignore::EncodingWarning",
+            "-m",
+            "pip",
+            "--disable-pip-version-check",
+            "download",
+            "--no-cache-dir",
+            "--only-binary=:all:",
+            "--python-version",
+            python_version,
+            "-d",
+            dest,
+            package,
+        ],
+    )
+
+
+if __name__ == "__main__":
+    run()