Merge branch 'main' into bugfix/11815-correct-docs-for-env-var

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "monthly"

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
  runs-on: ubuntu-latest
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: "3.x"
@@ -57,7 +57,7 @@ jobs:
  runs-on: ubuntu-latest
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: "3.x"
@@ -81,7 +81,7 @@ jobs:
  github.event_name != 'pull_request'
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: "3.x"
@@ -112,7 +112,7 @@ jobs:
  - "3.12"
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: ${{ matrix.python }}
@@ -164,7 +164,7 @@ jobs:
  group: [1, 2]
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: ${{ matrix.python }}
@@ -215,7 +215,7 @@ jobs:
  github.event_name != 'pull_request'
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: "3.10"

.github/workflows/lock-threads.yml

@@ -17,7 +17,7 @@ jobs:
  if: github.repository_owner == 'pypa'
  runs-on: ubuntu-latest
  steps:
- - uses: dessant/lock-threads@v3
+ - uses: dessant/lock-threads@v4
  with:
  issue-inactive-days: '30'
  pr-inactive-days: '15'

.github/workflows/news-file.yml

@@ -10,7 +10,7 @@ jobs:
  runs-on: ubuntu-20.04
 
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  with:
  # `towncrier check` runs `git diff --name-only origin/main...`, which
  # needs a non-shallow clone.

.github/workflows/update-rtd-redirects.yml

@@ -18,7 +18,7 @@ jobs:
  runs-on: ubuntu-latest
  environment: RTD Deploys
  steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
  - uses: actions/setup-python@v4
  with:
  python-version: "3.11"

.pre-commit-config.yaml

@@ -22,8 +22,7 @@ repos:
  - id: black
 
 - repo: https:/astral-sh/ruff-pre-commit
- # Ruff version.
- rev: v0.0.287
+ rev: v0.0.292
  hooks:
  - id: ruff
 

AUTHORS.txt

@@ -20,6 +20,7 @@ Albert-Guan
 albertg
 Alberto Sottile
 Aleks Bunin
+Ales Erjavec
 Alethea Flowers
 Alex Gaynor
 Alex Grönholm
@@ -30,6 +31,7 @@ Alex Stachowiak
 Alexander Shtyrov
 Alexandre Conrad
 Alexey Popravka
+Aleš Erjavec
 Alli
 Ami Fischman
 Ananya Maiti
@@ -196,9 +198,11 @@ David Runge
 David Tucker
 David Wales
 Davidovich
+ddelange
 Deepak Sharma
 Deepyaman Datta
 Denise Yu
+dependabot[bot]
 derwolfe
 Desetude
 Devesh Kumar Singh
@@ -312,6 +316,7 @@ Ilya Baryshev
 Inada Naoki
 Ionel Cristian Mărieș
 Ionel Maries Cristian
+Itamar Turner-Trauring
 Ivan Pozdeev
 Jacob Kim
 Jacob Walls
@@ -338,6 +343,7 @@ Jay Graves
 Jean-Christophe Fillion-Robin
 Jeff Barber
 Jeff Dairiki
+Jeff Widman
 Jelmer Vernooij
 jenix21
 Jeremy Stanley
@@ -367,6 +373,7 @@ Joseph Long
 Josh Bronson
 Josh Hansen
 Josh Schneier
+Joshua
 Juan Luis Cano Rodríguez
 Juanjo Bazán
 Judah Rand
@@ -397,6 +404,7 @@ KOLANICH
 kpinc
 Krishna Oza
 Kumar McMillan
+Kurt McKee
 Kyle Persohn
 lakshmanaram
 Laszlo Kiss-Kollar
@@ -413,6 +421,7 @@ lorddavidiii
 Loren Carvalho
 Lucas Cimon
 Ludovic Gasc
+Lukas Geiger
 Lukas Juhrich
 Luke Macken
 Luo Jiebin
@@ -529,6 +538,7 @@ Patrick Jenkins
 Patrick Lawson
 patricktokeeffe
 Patrik Kopkan
+Paul Ganssle
 Paul Kehrer
 Paul Moore
 Paul Nasrat
@@ -609,6 +619,7 @@ ryneeverett
 Sachi King
 Salvatore Rinchiera
 sandeepkiran-js
+Sander Van Balen
 Savio Jomton
 schlamar
 Scott Kitterman
@@ -621,6 +632,7 @@ SeongSoo Cho
 Sergey Vasilyev
 Seth Michael Larson
 Seth Woodworth
+Shahar Epstein
 Shantanu
 shireenrao
 Shivansh-007
@@ -648,6 +660,7 @@ Steve Kowalik
 Steven Myint
 Steven Silvester
 stonebig
+studioj
 Stéphane Bidoul
 Stéphane Bidoul (ACSONE)
 Stéphane Klein

NEWS.rst

@@ -9,13 +9,80 @@
 
 .. towncrier release notes start
 
+23.3.1 (2023-10-21)
+===================
+
+Bug Fixes
+---------
+
+- Handle a timezone indicator of Z when parsing dates in the self check. (`#12338 <https:/pypa/pip/issues/12338>`_)
+- Fix bug where installing the same package at the same time with multiple pip processes could fail. (`#12361 <https:/pypa/pip/issues/12361>`_)
+
+
+23.3 (2023-10-15)
+=================
+
+Process
+-------
+
+- Added reference to `vulnerability reporting guidelines <https://www.python.org/dev/security/>`_ to pip's security policy.
+
+Deprecations and Removals
+-------------------------
+
+- Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (`#12175 <https:/pypa/pip/issues/12175>`_)
+
+Features
+--------
+
+- Improve extras resolution for multiple constraints on same base package. (`#11924 <https:/pypa/pip/issues/11924>`_)
+- Improve use of datastructures to make candidate selection 1.6x faster. (`#12204 <https:/pypa/pip/issues/12204>`_)
+- Allow ``pip install --dry-run`` to use platform and ABI overriding options. (`#12215 <https:/pypa/pip/issues/12215>`_)
+- Add ``is_yanked`` boolean entry to the installation report (``--report``) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:`592`. (`#12224 <https:/pypa/pip/issues/12224>`_)
+
+Bug Fixes
+---------
+
+- Ignore errors in temporary directory cleanup (show a warning instead). (`#11394 <https:/pypa/pip/issues/11394>`_)
+- Normalize extras according to :pep:`685` from package metadata in the resolver
+ for comparison. This ensures extras are correctly compared and merged as long
+ as the package providing the extra(s) is built with values normalized according
+ to the standard. Note, however, that this *does not* solve cases where the
+ package itself contains unnormalized extra values in the metadata. (`#11649 <https:/pypa/pip/issues/11649>`_)
+- Prevent downloading sdists twice when :pep:`658` metadata is present. (`#11847 <https:/pypa/pip/issues/11847>`_)
+- Include all requested extras in the install report (``--report``). (`#11924 <https:/pypa/pip/issues/11924>`_)
+- Removed uses of ``datetime.datetime.utcnow`` from non-vendored code. (`#12005 <https:/pypa/pip/issues/12005>`_)
+- Consistently report whether a dependency comes from an extra. (`#12095 <https:/pypa/pip/issues/12095>`_)
+- Fix completion script for zsh (`#12166 <https:/pypa/pip/issues/12166>`_)
+- Fix improper handling of the new onexc argument of ``shutil.rmtree()`` in Python 3.12. (`#12187 <https:/pypa/pip/issues/12187>`_)
+- Filter out yanked links from the available versions error message: "(from versions: 1.0, 2.0, 3.0)" will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (`#12225 <https:/pypa/pip/issues/12225>`_)
+- Fix crash when the git version number contains something else than digits and dots. (`#12280 <https:/pypa/pip/issues/12280>`_)
+- Use ``-r=...`` instead of ``-r ...`` to specify references with Mercurial. (`#12306 <https:/pypa/pip/issues/12306>`_)
+- Redact password from URLs in some additional places. (`#12350 <https:/pypa/pip/issues/12350>`_)
+- pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (`#2984 <https:/pypa/pip/issues/2984>`_)
+
+Vendored Libraries
+------------------
+
+- Upgrade certifi to 2023.7.22
+- Add truststore 0.8.0
+- Upgrade urllib3 to 1.26.17
+
+Improved Documentation
+----------------------
+
+- Document that ``pip search`` support has been removed from PyPI (`#12059 <https:/pypa/pip/issues/12059>`_)
+- Clarify --prefer-binary in CLI and docs (`#12122 <https:/pypa/pip/issues/12122>`_)
+- Document that using OS-provided Python can cause pip's test suite to report false failures. (`#12334 <https:/pypa/pip/issues/12334>`_)
+
+
 23.2.1 (2023-07-22)
 ===================
 
 Bug Fixes
 ---------
 
-- Disable PEP 658 metadata fetching with the legacy resolver. (`#12156 <https:/pypa/pip/issues/12156>`_)
+- Disable :pep:`658` metadata fetching with the legacy resolver. (`#12156 <https:/pypa/pip/issues/12156>`_)
 
 
 23.2 (2023-07-15)
@@ -45,11 +112,11 @@ Bug Fixes
 ---------
 
 - Fix ``pip completion --zsh``. (`#11417 <https:/pypa/pip/issues/11417>`_)
-- Prevent downloading files twice when PEP 658 metadata is present (`#11847 <https:/pypa/pip/issues/11847>`_)
+- Prevent downloading files twice when :pep:`658` metadata is present (`#11847 <https:/pypa/pip/issues/11847>`_)
 - Add permission check before configuration (`#11920 <https:/pypa/pip/issues/11920>`_)
 - Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (`#11957 <https:/pypa/pip/issues/11957>`_)
 - Ignore invalid or unreadable ``origin.json`` files in the cache of locally built wheels. (`#11985 <https:/pypa/pip/issues/11985>`_)
-- Fix installation of packages with PEP658 metadata using non-canonicalized names (`#12038 <https:/pypa/pip/issues/12038>`_)
+- Fix installation of packages with :pep:`658` metadata using non-canonicalized names (`#12038 <https:/pypa/pip/issues/12038>`_)
 - Correctly parse ``dist-info-metadata`` values from JSON-format index data. (`#12042 <https:/pypa/pip/issues/12042>`_)
 - Fail with an error if the ``--python`` option is specified after the subcommand name. (`#12067 <https:/pypa/pip/issues/12067>`_)
 - Fix slowness when using ``importlib.metadata`` (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (`#12079 <https:/pypa/pip/issues/12079>`_)
@@ -220,7 +287,7 @@ Features
 
 - Change the hashes in the installation report to be a mapping. Emit the
  ``archive_info.hashes`` dictionary in ``direct_url.json``. (`#11312 <https:/pypa/pip/issues/11312>`_)
-- Implement logic to read the ``EXTERNALLY-MANAGED`` file as specified in PEP 668.
+- Implement logic to read the ``EXTERNALLY-MANAGED`` file as specified in :pep:`668`.
  This allows a downstream Python distributor to prevent users from using pip to
  modify the externally managed environment. (`#11381 <https:/pypa/pip/issues/11381>`_)
 - Enable the use of ``keyring`` found on ``PATH``. This allows ``keyring``
@@ -236,7 +303,7 @@ Bug Fixes
 - Use the "venv" scheme if available to obtain prefixed lib paths. (`#11598 <https:/pypa/pip/issues/11598>`_)
 - Deprecated a historical ambiguity in how ``egg`` fragments in URL-style
  requirements are formatted and handled. ``egg`` fragments that do not look
- like PEP 508 names now produce a deprecation warning. (`#11617 <https:/pypa/pip/issues/11617>`_)
+ like :pep:`508` names now produce a deprecation warning. (`#11617 <https:/pypa/pip/issues/11617>`_)
 - Fix scripts path in isolated build environment on Debian. (`#11623 <https:/pypa/pip/issues/11623>`_)
 - Make ``pip show`` show the editable location if package is editable (`#11638 <https:/pypa/pip/issues/11638>`_)
 - Stop checking that ``wheel`` is present when ``build-system.requires``

README.rst

@@ -3,9 +3,15 @@ pip - The Python Package Installer
 
 .. image:: https://img.shields.io/pypi/v/pip.svg
  :target: https://pypi.org/project/pip/
+ :alt: PyPI
+
+.. image:: https://img.shields.io/pypi/pyversions/pip
+ :target: https://pypi.org/project/pip
+ :alt: PyPI - Python Version
 
 .. image:: https://readthedocs.org/projects/pip/badge/?version=latest
  :target: https://pip.pypa.io/en/latest
+ :alt: Documentation
 
 pip is the `package installer`_ for Python. You can use pip to install packages from the `Python Package Index`_ and other indexes.
 
@@ -19,8 +25,6 @@ We release updates regularly, with a new version every 3 months. Find more detai
 * `Release notes`_
 * `Release process`_
 
-**Note**: pip 21.0, in January 2021, removed Python 2 support, per pip's `Python 2 support policy`_. Please migrate to Python 3.
-
 If you find bugs, need help, or want to talk to the developers, please use our mailing lists or chat rooms:
 
 * `Issue tracking`_
@@ -47,7 +51,6 @@ rooms, and mailing lists is expected to follow the `PSF Code of Conduct`_.
 .. _Release process: https://pip.pypa.io/en/latest/development/release-process/
 .. _GitHub page: https:/pypa/pip
 .. _Development documentation: https://pip.pypa.io/en/latest/development
-.. _Python 2 support policy: https://pip.pypa.io/en/latest/development/release-process/#python-2-support
 .. _Issue tracking: https:/pypa/pip/issues
 .. _Discourse channel: https://discuss.python.org/c/packaging
 .. _User IRC: https://kiwiirc.com/nextclient/#ircs://irc.libera.chat:+6697/pypa

docs/html/development/contributing.rst

@@ -112,7 +112,7 @@ the ``news/`` directory with the extension of ``.trivial.rst``. If you are on a
 POSIX like operating system, one can be added by running
 ``touch news/$(uuidgen).trivial.rst``. On Windows, the same result can be
 achieved in Powershell using ``New-Item "news/$([guid]::NewGuid()).trivial.rst"``.
-Core committers may also add a "trivial" label to the PR which will accomplish
+Core committers may also add a "skip news" label to the PR which will accomplish
 the same thing.
 
 Upgrading, removing, or adding a new vendored library gets a special mention

docs/html/development/getting-started.rst

@@ -73,7 +73,7 @@ pip's tests are written using the :pypi:`pytest` test framework and
 :mod:`unittest.mock`. :pypi:`nox` is used to automate the setup and execution
 of pip's tests.
 
-It is preferable to run the tests in parallel for better experience during development,
+It is preferable to run the tests in parallel for a better experience during development,
 since the tests can take a long time to finish when run sequentially.
 
 To run tests:
@@ -104,6 +104,15 @@ can select tests using the various ways that pytest provides:
  $ # Using keywords
  $ nox -s test-3.10 -- -k "install and not wheel"
 
+.. note::
+
+ When running pip's tests with OS distribution Python versions, be aware that some
+ functional tests may fail due to potential patches introduced by the distribution.
+ For all tests to pass consider:
+
+ - Installing Python from `python.org`_ or compile from source
+ - Or, using `pyenv`_ to assist with source compilation
+
 Running pip's entire test suite requires supported version control tools
 (subversion, bazaar, git, and mercurial) to be installed. If you are missing
 any of these VCS, those tests should be skipped automatically. You can also
@@ -114,6 +123,9 @@ explicitly tell pytest to skip those tests:
  $ nox -s test-3.10 -- -k "not svn"
  $ nox -s test-3.10 -- -k "not (svn or git)"
 
+.. _python.org: https://www.python.org/downloads/
+.. _pyenv: https:/pyenv/pyenv
+
 
 Running Linters
 ===============

docs/html/development/release-process.rst

@@ -145,8 +145,8 @@ Creating a new release
 #. Push the tag created by ``prepare-release``.
 #. Regenerate the ``get-pip.py`` script in the `get-pip repository`_ (as
  documented there) and commit the results.
-#. Submit a Pull Request to `CPython`_ adding the new version of pip (and upgrading
- setuptools) to ``Lib/ensurepip/_bundled``, removing the existing version, and
+#. Submit a Pull Request to `CPython`_ adding the new version of pip
+ to ``Lib/ensurepip/_bundled``, removing the existing version, and
  adjusting the versions listed in ``Lib/ensurepip/__init__.py``.