Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip downloads packages twice if the data-dist-info-metadata is set #11847

Closed
1 task done
fiannac opened this issue Mar 8, 2023 · 21 comments · Fixed by #12197
Closed
1 task done

pip downloads packages twice if the data-dist-info-metadata is set #11847

fiannac opened this issue Mar 8, 2023 · 21 comments · Fixed by #12197
Labels
type: bug A confirmed bug or unintended behavior

Comments

@fiannac
Copy link

fiannac commented Mar 8, 2023

Description

I'm using a custom package index that implements PEP-658. When I install packages through that index specifying the --no-cache-dir flag pip downloads the package twice.

Expected behavior

No response

pip version

23.0.1

Python version

3.9.7

OS

CentOS 7.9

How to Reproduce

Run pip install --no-cache-dir --index-url PEP-658index -v package

Output

pip install --no-cache-dir --index-url http://localhost:8000/simple/ -v numba
Using pip 23.0.1 from ... (python 3.9)
Looking in indexes: http://localhost:8000/simple/
Collecting numba
  Obtaining dependency information for numba from http://localhost:8000/.../numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata
  Downloading http://localhost:8000/.../numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata (2.8 kB)
Requirement already satisfied: setuptools in /.../site-packages (from numba) (59.5.0)
Requirement already satisfied: llvmlite<0.40,>=0.39.0dev0 in /.../site-packages (from numba) (0.39.1)
Requirement already satisfied: numpy<1.24,>=1.18 in /.../site-packages (from numba) (1.23.5)
Downloading http://localhost:8000/.../numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (3.5 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.5/3.5 MB 105.5 MB/s eta 0:00:00
Downloading http://localhost:8000/.../numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (3.5 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.5/3.5 MB 120.8 MB/s eta 0:00:00
Installing collected packages: numba
Successfully installed numba-0.56.4

Code of Conduct

@fiannac fiannac added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Mar 8, 2023
@uranusjr
Copy link
Member

uranusjr commented Mar 8, 2023

What are you setting in data-dist-info-metadata? If it is set pip downloads the content it points to for metadata. It looks like your attribute points to the same wheel, which should not be the case.

@pradyunsg
Copy link
Member

Could you share the HTML file that triggered this, as well as the contents of the METADATA file served by the host?

The metadata file seems to be distinct: numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata

@fiannac
Copy link
Author

fiannac commented Mar 8, 2023

What are you setting in data-dist-info-metadata? If it is set pip downloads the content it points to for metadata. It looks like your attribute points to the same wheel, which should not be the case.

From PEP658:

The repository SHOULD provide the hash of the Core Metadata file as the data-dist-info-metadata attribute’s value using the syntax hashname=hashvalue, where hashname is the lower cased name of the hash function used, and hashvalue is the hex encoded digest. The repository MAY use true as the attribute’s value if a hash is unavailable.

I am setting the values to true since I do not have access to the hashes. I also think pip is downloading and using the metadata correctly:
Downloading http://localhost:8000/.../numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata (2.8 kB)

@fiannac
Copy link
Author

fiannac commented Mar 8, 2023

Could you share the HTML file that triggered this, as well as the contents of the METADATA file served by the host?

The metadata file seems to be distinct: numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata

I'm currently just proxying pypi.org, adding data-dist-info-metadata to all the a tags pointing to a wheel dist and unwrapping the wheels on the fly when a client asks for metatadata. So the html is just the project page provided by pypi.org and the metadata is the METADATA file inside the wheel.

@fiannac
Copy link
Author

fiannac commented Mar 24, 2023

Could you share the HTML file that triggered this, as well as the contents of the METADATA file served by the host?

The metadata file seems to be distinct: numba-0.56.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.metadata

I've uploaded on this repo an html file that triggers this, you can reproduce that locally following the setps in the readme

@pradyunsg
Copy link
Member

Thank you for that @fiannac! That's really useful.

@pradyunsg
Copy link
Member

/cc @pfmoore, who is also looking at the PEP 658 + PEP 714 situation in #12078. I reckon this is something we should try to fix in the first release using the new key name.

@pradyunsg pradyunsg added !release blocker Hold a release until this is resolved and removed S: needs triage Issues/PRs that need to be triaged labels Jun 27, 2023
@pradyunsg pradyunsg added this to the 23.2 milestone Jun 27, 2023
@pfmoore
Copy link
Member

pfmoore commented Jun 27, 2023

I'll take a look, but I can't promise I'll have time to work out what the problem is here, much less create a fix. So PRs would be welcome.

Worst case scenario, if no-one comes up with a fix for this, we'll have PEP 658/714 support in 23.2 with this issue unfixed. Does anyone think that's a serious problem (serious enough to pull #12078 from 23.2)? My instinct is to say no, we go ahead with #12078, but a double download does sound like a rather serious performance regression, for something that was supposed to be a performance improvement 🙁

@pfmoore
Copy link
Member

pfmoore commented Jun 27, 2023

I've tried setting a breakpoint in pip._internal.network.download in Downloader.__call__, just before the HTTP response is read and written to the target file. The breakpoint is only triggered once, but the Downloading filename.whl (NN kB) message is printed twice before the breakpoint is hit. So I'm pretty sure that the issue here is simply one of the "Downloading" message being logged twice, rather than the file actually being downloaded twice.

Obviously, it's misleading and needs to be fixed, but I'm reasonably confident that there isn't a performance issue here.

Before I downgrade this from release blocker, can anyone demonstrate that my analysis above is wrong?

Note that #12078 has now been merged, and PyPI is serving (some) metadata files, so this issue can be reproduced using pip main and PyPI. The command line I used was pip install --dry-run --no-deps --no-cache piel -vvv (I used the piel package simply because it has had a very recent release which has metadata available on PyPI).

@fiannac
Copy link
Author

fiannac commented Jun 28, 2023

I've tried setting a breakpoint in pip._internal.network.download in Downloader.__call__, just before the HTTP response is read and written to the target file. The breakpoint is only triggered once, but the Downloading filename.whl (NN kB) message is printed twice before the breakpoint is hit. So I'm pretty sure that the issue here is simply one of the "Downloading" message being logged twice, rather than the file actually being downloaded twice.

When I run the same command and check the server-side logs, it really looks like the file is being downloaded twice:

Client:
pip install --dry-run --no-deps --no-cache --force-reinstall --index-url http://localhost:8082/simple/ abcabc
Collecting abcabc
  Obtaining dependency information for abcabc from http://localhost:8082/simple/abcabc/abcabc-0.0.7-py3-none-any.whl.metadata
  Downloading http://localhost:8082/simple/abcabc/abcabc-0.0.7-py3-none-any.whl.metadata (92 bytes)
Downloading http://localhost:8082/simple/abcabc/abcabc-0.0.7-py3-none-any.whl (2.4 kB)
Downloading http://localhost:8082/simple/abcabc/abcabc-0.0.7-py3-none-any.whl (2.4 kB)

Server:
127.0.0.1 - - [28/Jun/2023 14:12:21] "GET /simple/abcabc/ HTTP/1.1" 200 -
127.0.0.1 - - [28/Jun/2023 14:12:21] "GET /simple/abcabc/abcabc-0.0.7-py3-none-any.whl.metadata HTTP/1.1" 200 -
127.0.0.1 - - [28/Jun/2023 14:12:21] "GET /simple/abcabc/abcabc-0.0.7-py3-none-any.whl HTTP/1.1" 200 -
127.0.0.1 - - [28/Jun/2023 14:12:21] "GET /simple/abcabc/abcabc-0.0.7-py3-none-any.whl HTTP/1.1" 200 -

@pfmoore
Copy link
Member

pfmoore commented Jun 28, 2023

OK. We'll need a complete reproducer that I can use to replicate the issue locally, as I can't confirm the problem here.

@fiannac
Copy link
Author

fiannac commented Jun 28, 2023

OK. We'll need a complete reproducer that I can use to replicate the issue locally, as I can't confirm the problem here.

To reproduce the problem check this

@pfmoore
Copy link
Member

pfmoore commented Jun 28, 2023

OK, thanks - I found it (I think).

There's a prepare_linked_requirements_more function in operations.prepare, which looks at req.needs_more_preparation. If I'm understanding things here, it looks like that code path isn't clearing this flag when the "more preparation" has been done. But that logic is incredibly convoluted and I frankly can't follow it.

@pfmoore
Copy link
Member

pfmoore commented Jun 28, 2023

FWIW, the "needs more preparation" flag was added in #8685 but the code was updated for PEP 658 support in #11111.

@uranusjr @pradyunsg you both seem to have reviewed #11111 - do either of you have any recollection what was going on there?

@uranusjr
Copy link
Member

I didn’t pay much notice to needs_more_preparation when I reviewed the PR since the code is already there and seems to do something else, but now looking back I guess yeah that flag should not be set when only the metadata is downloaded, since PEP 658 uses a completely different mechanism than the partial download approach and should not “resume” a wheel download. So I guess we can

  1. Change the needs_more_preparation resuming message a bit, to say something like Resuming link ... instead so it’s at least clearer to the user this is a continuation to the previous download, and not a separate download.
  2. Modify the code to make a metadata-only download not set needs_more_preparation at all.

@uranusjr
Copy link
Member

One additional comment, we probably should rename that flag to same something like has_partially_downloaded_artifact instead to better reflect what it does.

@pfmoore
Copy link
Member

pfmoore commented Jul 1, 2023

Phew! I think I found the issue. We weren't recording in the _downloaded dictionary the fact that we downloaded and unpacked the URL in _complete_partial_requirements, which means that the following call to _prepare_linked_requirement downloaded the URL again.

I have a fix in #12120, waiting for the tests to run to see if it actually resolves the issue (it did in my manual tests, but I'm not promising yet that it doesn't break something else!)

@pfmoore
Copy link
Member

pfmoore commented Jul 1, 2023

Test failures seem to be for the case where we're given metadata for source distributions. I'm inclined to downgrade the "release blocker" status if that's the case, but I don't know how we fix the test suite, so I don't have a practical way to achieve that at the moment 🙁

@uranusjr Your comments on making the code more readable make sense (although the issue doesn't seem directly related to needs_more_preparation any more) but I definitely won't be doing anything about them right now - all I have time for is the bare minimum of trying to get things functioning1. If anyone wants to look at this code any deeper, they'll need to file a separate PR (and it should be for 23.3, not 23.2, as the only thing I want to focus on for 23.2 is getting this issue dealt with).

Footnotes

  1. And I'm not even sure I'll manage that - we may end up in a situation where I have to choose between releasing with the performance issue or reverting Fix parsing of JSON index dist-info-metadata values #12078 and losing PEP 658/714 support for another release cycle.

@pfmoore
Copy link
Member

pfmoore commented Jul 3, 2023

By limiting the "double download" fix to wheels, the tests pass. That's an awful hack, but it gets us past the "release blocker" problem, as PyPI isn't yet serving PEP 658 metadata for sdists.

Fixing the sdist issue looks like it will require a complete refactoring of the logic that means we need the method prepare_linked_requirements_more, and I have no idea how to even start on that. So I'm going to limit the fix to wheels, and leave this issue open for someone else to look at the sdist issue.

The risk, of course, is that no-one will look at this issue for sdists, and we'll just end up with the same problem when PyPI does start serving sdist metadata. Maybe it'll be less of an issue as sdists typically aren't huge, but I'm not confident of that (huge data files, or people shipping Javascript runtimes in the sdist, could still be an issue). To be clear I don't personally have any intention of digging into the sdist issue any further - I don't have the time to work out what this code does and produce a full fix.

Edit: The largest sdist I can see in a recent PyPI dump is 520Mb in size. The mean sdist size is about 800Kb.

Another option would be to leave the sdist tests failing, but mark them as xfail. I'm not convinced that's a better option, as it doesn't make it any more likely that someone will look at the problem (possibly less so, because there wouldn't be a huge comment in the source explaining how the current situation is a gross hack 🙂)

@pfmoore pfmoore removed the !release blocker Hold a release until this is resolved label Jul 3, 2023
@pfmoore
Copy link
Member

pfmoore commented Jul 3, 2023

I've merged my fix, and removed the release blocker label. I'm leaving the 23.2 milestone in case someone else contributes a full fix, but if no-one gets to it, I'll just remove the milestone (I'm leaving it mainly as a reminder to check back on this issue before the release).

@pfmoore
Copy link
Member

pfmoore commented Jul 9, 2023

I'm going to remove the milestone at this point, as I don't expect any further work on this before 23.2 (even if someone comes up with a PR, I won't have time to review it and I won't approve it for 23.2 as we've had enough problems and I won't risk any more being caused by rushing things in).

We can look at any follow-up in future pip releases.

@pfmoore pfmoore removed this from the 23.2 milestone Jul 9, 2023
ErikBavenstrand added a commit to klarna-incubator/mleko that referenced this issue Jul 17, 2023
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new
<code>importlib.metadata</code> backend is used to load distribution
metadata. This only affects the egg <em>distribution format</em> (with
the <code>.egg</code> extension); distributions using the
<code>.egg-info</code> <em>metadata format</em> (but are not actually
eggs) are not affected. For more information about eggs, see
<code>relevant section in the setuptools documentation
&lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform
to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_
(<code>[#12063](pypa/pip#12063)
&lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>,
<code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code>
if you wish to
exclude any of these packages.
(<code>[#4256](pypa/pip#4256)
&lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the
user can make the difference.
(<code>[#12040](pypa/pip#12040)
&lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>.
(<code>[#11417](pypa/pip#11417)
&lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present
(<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration
(<code>[#11920](pypa/pip#11920)
&lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree
(<code>[#11957](pypa/pip#11957)
&lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the
cache of locally built wheels.
(<code>[#11985](pypa/pip#11985)
&lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using
non-canonicalized names
(<code>[#12038](pypa/pip#12038)
&lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from
JSON-format index data.
(<code>[#12042](pypa/pip#12042)
&lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified
after the subcommand name.
(<code>[#12067](pypa/pip#12067)
&lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default
way for pip to read metadata in Python 3.11+) and there is a large
overlap between already installed and to-be-installed packages.
(<code>[#12079](pypa/pip#12079)
&lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a
revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users
that do not have control on
VCS URLs passed to pip are advised to upgrade.
(<code>[#12119](pypa/pip#12119)
&lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/11417">#11417</a> from
Freed-Wu/fix-zsh</li>
<li><a
href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12137">#12137</a> from
groodt/groodt-fix-deprecation-warning</li>
<li><a
href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12140">#12140</a> from
uranusjr/ensure-preparation-for-dist</li>
<li><a
href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a>
Ensure requirements are prepared before get_dist()</li>
<li><a
href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a>
Add news entry</li>
<li><a
href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a>
Add news entry</li>
<li><a
href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a>
Make black formatter happy</li>
<li><a
href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a>
Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/22.3.1...23.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.3.1&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
mergify bot pushed a commit to aws/jsii that referenced this issue Jul 17, 2023
…s/@jsii/python-runtime (#4182)

Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation &lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_ (<code>[#12063](pypa/pip#12063) &lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code> if you wish to
exclude any of these packages. (<code>[#4256](pypa/pip#4256) &lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) &lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) &lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) &lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) &lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) &lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) &lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) &lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) &lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) &lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on
VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) &lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li>
<li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li>
<li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li>
<li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li>
<li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li>
<li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1...23.2">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
mergify bot pushed a commit to aws/jsii that referenced this issue Jul 17, 2023
…k/test/generated-code (#4183)

Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation &lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_ (<code>[#12063](pypa/pip#12063) &lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code> if you wish to
exclude any of these packages. (<code>[#4256](pypa/pip#4256) &lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) &lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) &lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) &lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) &lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) &lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) &lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) &lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) &lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) &lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on
VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) &lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li>
<li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li>
<li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li>
<li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li>
<li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li>
<li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Jul 17, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation &lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_ (<code>[#12063](pypa/pip#12063) &lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code> if you wish to
exclude any of these packages. (<code>[#4256](pypa/pip#4256) &lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) &lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) &lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) &lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) &lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) &lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) &lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) &lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) &lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) &lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on
VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) &lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li>
<li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li>
<li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li>
<li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li>
<li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li>
<li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Jul 17, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new <code>importlib.metadata</code> backend is used to load distribution metadata. This only affects the egg <em>distribution format</em> (with the <code>.egg</code> extension); distributions using the <code>.egg-info</code> <em>metadata format</em> (but are not actually eggs) are not affected. For more information about eggs, see <code>relevant section in the setuptools documentation &lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_ (<code>[#12063](pypa/pip#12063) &lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>, <code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code> if you wish to
exclude any of these packages. (<code>[#4256](pypa/pip#4256) &lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the user can make the difference. (<code>[#12040](pypa/pip#12040) &lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>. (<code>[#11417](pypa/pip#11417) &lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration (<code>[#11920](pypa/pip#11920) &lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (<code>[#11957](pypa/pip#11957) &lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the cache of locally built wheels. (<code>[#11985](pypa/pip#11985) &lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using non-canonicalized names (<code>[#12038](pypa/pip#12038) &lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from JSON-format index data. (<code>[#12042](pypa/pip#12042) &lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified after the subcommand name. (<code>[#12067](pypa/pip#12067) &lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (<code>[#12079](pypa/pip#12079) &lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users that do not have control on
VCS URLs passed to pip are advised to upgrade. (<code>[#12119](pypa/pip#12119) &lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/11417">#11417</a> from Freed-Wu/fix-zsh</li>
<li><a href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12137">#12137</a> from groodt/groodt-fix-deprecation-warning</li>
<li><a href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a> Merge pull request <a href="https://github.com/pypa/pip/issues/12140">#12140</a> from uranusjr/ensure-preparation-for-dist</li>
<li><a href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a> Ensure requirements are prepared before get_dist()</li>
<li><a href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a> Add news entry</li>
<li><a href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a> Make black formatter happy</li>
<li><a href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a> Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
@pfmoore pfmoore mentioned this issue Jul 18, 2023
openfinch added a commit to boopmail/python-jmap that referenced this issue Jul 20, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new
<code>importlib.metadata</code> backend is used to load distribution
metadata. This only affects the egg <em>distribution format</em> (with
the <code>.egg</code> extension); distributions using the
<code>.egg-info</code> <em>metadata format</em> (but are not actually
eggs) are not affected. For more information about eggs, see
<code>relevant section in the setuptools documentation
&lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform
to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_
(<code>[#12063](pypa/pip#12063)
&lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>,
<code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code>
if you wish to
exclude any of these packages.
(<code>[#4256](pypa/pip#4256)
&lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the
user can make the difference.
(<code>[#12040](pypa/pip#12040)
&lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>.
(<code>[#11417](pypa/pip#11417)
&lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present
(<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration
(<code>[#11920](pypa/pip#11920)
&lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree
(<code>[#11957](pypa/pip#11957)
&lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the
cache of locally built wheels.
(<code>[#11985](pypa/pip#11985)
&lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using
non-canonicalized names
(<code>[#12038](pypa/pip#12038)
&lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from
JSON-format index data.
(<code>[#12042](pypa/pip#12042)
&lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified
after the subcommand name.
(<code>[#12067](pypa/pip#12067)
&lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default
way for pip to read metadata in Python 3.11+) and there is a large
overlap between already installed and to-be-installed packages.
(<code>[#12079](pypa/pip#12079)
&lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a
revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users
that do not have control on
VCS URLs passed to pip are advised to upgrade.
(<code>[#12119](pypa/pip#12119)
&lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.5.7</li>
<li>Upgrade platformdirs to 3.8.1</li>
<li>Upgrade pygments to 2.15.1</li>
<li>Upgrade pyparsing to 3.1.0</li>
<li>Upgrade Requests to 2.31.0</li>
<li>Upgrade rich to 13.4.2</li>
<li>Upgrade setuptools to 68.0.0</li>
<li>Updated typing_extensions to 4.6.0</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/a3c2c43c5309ff219674b1d73a6dbf491a727a5e"><code>a3c2c43</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/ae23f967efedf33e3da148612657064b3b5a0695"><code>ae23f96</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/324dd444956283661dce0dc282cbdaad0405d921"><code>324dd44</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/11417">#11417</a> from
Freed-Wu/fix-zsh</li>
<li><a
href="https://github.com/pypa/pip/commit/e53cf3d32dd0a41ecc66205d7360c90e59030fd0"><code>e53cf3d</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12137">#12137</a> from
groodt/groodt-fix-deprecation-warning</li>
<li><a
href="https://github.com/pypa/pip/commit/38a8fb1f601c782eef0988290f11aa2a4dfc3c69"><code>38a8fb1</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12140">#12140</a> from
uranusjr/ensure-preparation-for-dist</li>
<li><a
href="https://github.com/pypa/pip/commit/0cabefbce800b6bde91f869e83dc48bd0ea4aa64"><code>0cabefb</code></a>
Ensure requirements are prepared before get_dist()</li>
<li><a
href="https://github.com/pypa/pip/commit/2c4947d51a002cd0ba4b01ec7682d86f297e6d37"><code>2c4947d</code></a>
Add news entry</li>
<li><a
href="https://github.com/pypa/pip/commit/41506d7bbf25009f0de06218744082ca4299f666"><code>41506d7</code></a>
Add news entry</li>
<li><a
href="https://github.com/pypa/pip/commit/9b47bc0fea396caf0cc6a89a404c039c6a44ac40"><code>9b47bc0</code></a>
Make black formatter happy</li>
<li><a
href="https://github.com/pypa/pip/commit/25f4e6eabf8fb8f10ea10e4bd9c542ed30cbba5e"><code>25f4e6e</code></a>
Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/23.1.2...23.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
kai687 pushed a commit to kai687/sphinxawesome-theme that referenced this issue Jul 24, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.2.1 (2023-07-22)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Disable PEP 658 metadata fetching with the legacy resolver.
(<code>[#12156](pypa/pip#12156)
&lt;https://github.com/pypa/pip/issues/12156&gt;</code>_)</li>
</ul>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new
<code>importlib.metadata</code> backend is used to load distribution
metadata. This only affects the egg <em>distribution format</em> (with
the <code>.egg</code> extension); distributions using the
<code>.egg-info</code> <em>metadata format</em> (but are not actually
eggs) are not affected. For more information about eggs, see
<code>relevant section in the setuptools documentation
&lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform
to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_
(<code>[#12063](pypa/pip#12063)
&lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>,
<code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code>
if you wish to
exclude any of these packages.
(<code>[#4256](pypa/pip#4256)
&lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the
user can make the difference.
(<code>[#12040](pypa/pip#12040)
&lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>.
(<code>[#11417](pypa/pip#11417)
&lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present
(<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration
(<code>[#11920](pypa/pip#11920)
&lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree
(<code>[#11957](pypa/pip#11957)
&lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the
cache of locally built wheels.
(<code>[#11985](pypa/pip#11985)
&lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using
non-canonicalized names
(<code>[#12038](pypa/pip#12038)
&lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from
JSON-format index data.
(<code>[#12042](pypa/pip#12042)
&lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified
after the subcommand name.
(<code>[#12067](pypa/pip#12067)
&lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default
way for pip to read metadata in Python 3.11+) and there is a large
overlap between already installed and to-be-installed packages.
(<code>[#12079](pypa/pip#12079)
&lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a
revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users
that do not have control on
VCS URLs passed to pip are advised to upgrade.
(<code>[#12119](pypa/pip#12119)
&lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/4a79e65cb6aac84505ad92d272a29f0c3c1aedce"><code>4a79e65</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/81a0711192c32126a7b11d6898677274cdbc40b5"><code>81a0711</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/1d4674c38950fe01d138a57524799473a2341bb7"><code>1d4674c</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12163">#12163</a> from
pfmoore/fix_12156</li>
<li><a
href="https://github.com/pypa/pip/commit/39aa7ed50e26d77a4a277fa525add44b6f7b3bcd"><code>39aa7ed</code></a>
Fix a direct creation of RequirementPreparer in the tests</li>
<li><a
href="https://github.com/pypa/pip/commit/c12139de9b51da9947d3b36b4f0e2e0c8f467663"><code>c12139d</code></a>
Disable PEP 658 for the legacy resolver</li>
<li><a
href="https://github.com/pypa/pip/commit/593b85f4abd30688648436bb9baca3b8f7b32b51"><code>593b85f</code></a>
Use strict optional checking in misc.py (<a
href="https://github.com/pypa/pip/issues/11382">#11382</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/b252ad819bc7b998508a7ed8789b60dceddfd603"><code>b252ad8</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12148">#12148</a> from
mtreinish/patch-1</li>
<li><a
href="https://github.com/pypa/pip/commit/26814251c04f459dce8e9502aa42eebdb125ee20"><code>2681425</code></a>
Correct typo in 23.2 Changelog Bug Fixes</li>
<li><a
href="https://github.com/pypa/pip/commit/1d5b12063d8656a2d1c2eebaee83ed530b642e48"><code>1d5b120</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12145">#12145</a> from
pfmoore/release/23.2</li>
<li><a
href="https://github.com/pypa/pip/commit/b6a2670599ded25ffcebc33b5c8b583ccef87f27"><code>b6a2670</code></a>
Bump for development</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/23.1.2...23.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 2, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 3, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 3, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 6, 2023
torbennehmer added a commit to torbennehmer/hacs-e3dc that referenced this issue Aug 7, 2023
Updates the requirements on [pip](https://github.com/pypa/pip) to permit
the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.2.1 (2023-07-22)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Disable PEP 658 metadata fetching with the legacy resolver.
(<code>[#12156](pypa/pip#12156)
&lt;https://github.com/pypa/pip/issues/12156&gt;</code>_)</li>
</ul>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new
<code>importlib.metadata</code> backend is used to load distribution
metadata. This only affects the egg <em>distribution format</em> (with
the <code>.egg</code> extension); distributions using the
<code>.egg-info</code> <em>metadata format</em> (but are not actually
eggs) are not affected. For more information about eggs, see
<code>relevant section in the setuptools documentation
&lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform
to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_
(<code>[#12063](pypa/pip#12063)
&lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>,
<code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code>
if you wish to
exclude any of these packages.
(<code>[#4256](pypa/pip#4256)
&lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the
user can make the difference.
(<code>[#12040](pypa/pip#12040)
&lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>.
(<code>[#11417](pypa/pip#11417)
&lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present
(<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration
(<code>[#11920](pypa/pip#11920)
&lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree
(<code>[#11957](pypa/pip#11957)
&lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the
cache of locally built wheels.
(<code>[#11985](pypa/pip#11985)
&lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using
non-canonicalized names
(<code>[#12038](pypa/pip#12038)
&lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from
JSON-format index data.
(<code>[#12042](pypa/pip#12042)
&lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified
after the subcommand name.
(<code>[#12067](pypa/pip#12067)
&lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default
way for pip to read metadata in Python 3.11+) and there is a large
overlap between already installed and to-be-installed packages.
(<code>[#12079](pypa/pip#12079)
&lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a
revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users
that do not have control on
VCS URLs passed to pip are advised to upgrade.
(<code>[#12119](pypa/pip#12119)
&lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/4a79e65cb6aac84505ad92d272a29f0c3c1aedce"><code>4a79e65</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/81a0711192c32126a7b11d6898677274cdbc40b5"><code>81a0711</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/1d4674c38950fe01d138a57524799473a2341bb7"><code>1d4674c</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12163">#12163</a> from
pfmoore/fix_12156</li>
<li><a
href="https://github.com/pypa/pip/commit/39aa7ed50e26d77a4a277fa525add44b6f7b3bcd"><code>39aa7ed</code></a>
Fix a direct creation of RequirementPreparer in the tests</li>
<li><a
href="https://github.com/pypa/pip/commit/c12139de9b51da9947d3b36b4f0e2e0c8f467663"><code>c12139d</code></a>
Disable PEP 658 for the legacy resolver</li>
<li><a
href="https://github.com/pypa/pip/commit/593b85f4abd30688648436bb9baca3b8f7b32b51"><code>593b85f</code></a>
Use strict optional checking in misc.py (<a
href="https://github.com/pypa/pip/issues/11382">#11382</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/b252ad819bc7b998508a7ed8789b60dceddfd603"><code>b252ad8</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12148">#12148</a> from
mtreinish/patch-1</li>
<li><a
href="https://github.com/pypa/pip/commit/26814251c04f459dce8e9502aa42eebdb125ee20"><code>2681425</code></a>
Correct typo in 23.2 Changelog Bug Fixes</li>
<li><a
href="https://github.com/pypa/pip/commit/1d5b12063d8656a2d1c2eebaee83ed530b642e48"><code>1d5b120</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12145">#12145</a> from
pfmoore/release/23.2</li>
<li><a
href="https://github.com/pypa/pip/commit/b6a2670599ded25ffcebc33b5c8b583ccef87f27"><code>b6a2670</code></a>
Bump for development</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/21.0...23.2.1">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 11, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 12, 2023
cosmicexplorer added a commit to cosmicexplorer/pip that referenced this issue Aug 14, 2023
gignsky added a commit to gignsky/tdarr-node-switcher that referenced this issue Aug 28, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.1.2 to 23.2.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.2.1 (2023-07-22)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Disable PEP 658 metadata fetching with the legacy resolver.
(<code>[#12156](pypa/pip#12156)
&lt;https://github.com/pypa/pip/issues/12156&gt;</code>_)</li>
</ul>
<h1>23.2 (2023-07-15)</h1>
<h2>Process</h2>
<ul>
<li>Deprecate support for eggs for Python 3.11 or later, when the new
<code>importlib.metadata</code> backend is used to load distribution
metadata. This only affects the egg <em>distribution format</em> (with
the <code>.egg</code> extension); distributions using the
<code>.egg-info</code> <em>metadata format</em> (but are not actually
eggs) are not affected. For more information about eggs, see
<code>relevant section in the setuptools documentation
&lt;https://setuptools.pypa.io/en/stable/deprecated/python_eggs.html&gt;</code>__.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Deprecate legacy version and version specifiers that don't conform
to <code>PEP 440 &lt;https://peps.python.org/pep-0440/&gt;</code>_
(<code>[#12063](pypa/pip#12063)
&lt;https://github.com/pypa/pip/issues/12063&gt;</code>_)</li>
<li><code>freeze</code> no longer excludes the <code>setuptools</code>,
<code>distribute</code>, and <code>wheel</code>
from the output when running on Python 3.12 or later, where they are not
included in a virtual environment by default. Use <code>--exclude</code>
if you wish to
exclude any of these packages.
(<code>[#4256](pypa/pip#4256)
&lt;https://github.com/pypa/pip/issues/4256&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>make rejection messages slightly different between 1 and 8, so the
user can make the difference.
(<code>[#12040](pypa/pip#12040)
&lt;https://github.com/pypa/pip/issues/12040&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Fix <code>pip completion --zsh</code>.
(<code>[#11417](pypa/pip#11417)
&lt;https://github.com/pypa/pip/issues/11417&gt;</code>_)</li>
<li>Prevent downloading files twice when PEP 658 metadata is present
(<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Add permission check before configuration
(<code>[#11920](pypa/pip#11920)
&lt;https://github.com/pypa/pip/issues/11920&gt;</code>_)</li>
<li>Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree
(<code>[#11957](pypa/pip#11957)
&lt;https://github.com/pypa/pip/issues/11957&gt;</code>_)</li>
<li>Ignore invalid or unreadable <code>origin.json</code> files in the
cache of locally built wheels.
(<code>[#11985](pypa/pip#11985)
&lt;https://github.com/pypa/pip/issues/11985&gt;</code>_)</li>
<li>Fix installation of packages with PEP658 metadata using
non-canonicalized names
(<code>[#12038](pypa/pip#12038)
&lt;https://github.com/pypa/pip/issues/12038&gt;</code>_)</li>
<li>Correctly parse <code>dist-info-metadata</code> values from
JSON-format index data.
(<code>[#12042](pypa/pip#12042)
&lt;https://github.com/pypa/pip/issues/12042&gt;</code>_)</li>
<li>Fail with an error if the <code>--python</code> option is specified
after the subcommand name.
(<code>[#12067](pypa/pip#12067)
&lt;https://github.com/pypa/pip/issues/12067&gt;</code>_)</li>
<li>Fix slowness when using <code>importlib.metadata</code> (the default
way for pip to read metadata in Python 3.11+) and there is a large
overlap between already installed and to-be-installed packages.
(<code>[#12079](pypa/pip#12079)
&lt;https://github.com/pypa/pip/issues/12079&gt;</code>_)</li>
<li>Pass the <code>-r</code> flag to mercurial to be explicit that a
revision is passed and protect
against <code>hg</code> options injection as part of VCS URLs. Users
that do not have control on
VCS URLs passed to pip are advised to upgrade.
(<code>[#12119](pypa/pip#12119)
&lt;https://github.com/pypa/pip/issues/12119&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/4a79e65cb6aac84505ad92d272a29f0c3c1aedce"><code>4a79e65</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/81a0711192c32126a7b11d6898677274cdbc40b5"><code>81a0711</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/1d4674c38950fe01d138a57524799473a2341bb7"><code>1d4674c</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12163">#12163</a> from
pfmoore/fix_12156</li>
<li><a
href="https://github.com/pypa/pip/commit/39aa7ed50e26d77a4a277fa525add44b6f7b3bcd"><code>39aa7ed</code></a>
Fix a direct creation of RequirementPreparer in the tests</li>
<li><a
href="https://github.com/pypa/pip/commit/c12139de9b51da9947d3b36b4f0e2e0c8f467663"><code>c12139d</code></a>
Disable PEP 658 for the legacy resolver</li>
<li><a
href="https://github.com/pypa/pip/commit/593b85f4abd30688648436bb9baca3b8f7b32b51"><code>593b85f</code></a>
Use strict optional checking in misc.py (<a
href="https://github.com/pypa/pip/issues/11382">#11382</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/b252ad819bc7b998508a7ed8789b60dceddfd603"><code>b252ad8</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12148">#12148</a> from
mtreinish/patch-1</li>
<li><a
href="https://github.com/pypa/pip/commit/26814251c04f459dce8e9502aa42eebdb125ee20"><code>2681425</code></a>
Correct typo in 23.2 Changelog Bug Fixes</li>
<li><a
href="https://github.com/pypa/pip/commit/1d5b12063d8656a2d1c2eebaee83ed530b642e48"><code>1d5b120</code></a>
Merge pull request <a
href="https://github.com/pypa/pip/issues/12145">#12145</a> from
pfmoore/release/23.2</li>
<li><a
href="https://github.com/pypa/pip/commit/b6a2670599ded25ffcebc33b5c8b583ccef87f27"><code>b6a2670</code></a>
Bump for development</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/23.1.2...23.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.1.2&new-version=23.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
fridex pushed a commit to fridex/pip that referenced this issue Nov 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type: bug A confirmed bug or unintended behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants