Skip to content

ci: bump pip from 26.0.1 to 26.1.2#76

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pip-26.1.2
Open

ci: bump pip from 26.0.1 to 26.1.2#76
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pip-26.1.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps pip from 26.0.1 to 26.1.2.

Changelog

Sourced from pip's changelog.

26.1.2 (2026-05-31)

Bug Fixes

  • Reject console_scripts and gui_scripts entry points whose name would install a script outside the scripts directory. ([#14000](https://github.com/pypa/pip/issues/14000) <https://github.com/pypa/pip/issues/14000>_)
  • Fix installation incorrectly failing when the target path contains a doubled slash, such as with pip install --root //.... ([#14001](https://github.com/pypa/pip/issues/14001) <https://github.com/pypa/pip/issues/14001>_)
  • Send a consistent Accept-Encoding header to avoid a spurious Cache entry deserialization failed warning. ([#14012](https://github.com/pypa/pip/issues/14012) <https://github.com/pypa/pip/issues/14012>_)

26.1.1 (2026-05-04)

Bug Fixes

  • Fix issue where uninstallation left behind empty directories. Revert the removal of the adjacent __pycache__ directory when a .py file is removed. ([#13973](https://github.com/pypa/pip/issues/13973) <https://github.com/pypa/pip/issues/13973>_)

26.1 (2026-04-26)

Deprecations and Removals

  • Drop support for Python 3.9. ([#13795](https://github.com/pypa/pip/issues/13795) <https://github.com/pypa/pip/issues/13795>_)

Features

  • Add experimental support to read requirements from standardized pylock.toml files (-r pylock.toml). ([#13876](https://github.com/pypa/pip/issues/13876) <https://github.com/pypa/pip/issues/13876>_)
  • Allow --uploaded-prior-to to accept a duration in days (e.g., P3D for 3 days ago). ([#13674](https://github.com/pypa/pip/issues/13674) <https://github.com/pypa/pip/issues/13674>_)

Enhancements

  • Speed up dependency resolution when there are complex conflicts. ([#13859](https://github.com/pypa/pip/issues/13859) <https://github.com/pypa/pip/issues/13859>_)
  • Reduce memory usage when resolving large dependency trees. ([#13843](https://github.com/pypa/pip/issues/13843) <https://github.com/pypa/pip/issues/13843>_)
  • Emit a deprecation warning when pip imports an unexpected module after installation of a distribution has started. ([#13912](https://github.com/pypa/pip/issues/13912) <https://github.com/pypa/pip/issues/13912>_)
  • Allow URL constraints to apply to requirements with extras. ([#12018](https://github.com/pypa/pip/issues/12018) <https://github.com/pypa/pip/issues/12018>_)
  • Allow unpinned requirements to use hashes from constraints. Constraints like {name}=={version} --hash=... feeds into hash verification for a corresponding requirement. ([#9243](https://github.com/pypa/pip/issues/9243) <https://github.com/pypa/pip/issues/9243>_)
  • Improve conflict reports that involve direct URLs. ([#13932](https://github.com/pypa/pip/issues/13932) <https://github.com/pypa/pip/issues/13932>_)
  • Show all errors instead of first error for faulty dependency_groups definitions. ([#13917](https://github.com/pypa/pip/issues/13917) <https://github.com/pypa/pip/issues/13917>_)

... (truncated)

Commits
  • 31d7d16 Bump for release
  • 79f348c Update AUTHORS.txt
  • 237a925 Merge pull request #14001 from notatallshaw/fix-is-within-directory
  • 34d0285 Merge pull request #14006 from laymonage/fix-requirements_from_scripts-space-...
  • 09d3e07 Merge pull request #14012 from notatallshaw/stable-accept-encoding
  • fa7854f Use is_within_directory for entry point check
  • d01b46c NEWS ENTRY
  • 7ff8bdd Fix is_within_directory for doubled-slash roots
  • 7ea3466 NEWS ENTRY
  • 85673ea Fix Accept-Encoding to gzip, deflate
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [pip](https://github.com/pypa/pip) from 26.0.1 to 26.1.2.
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@26.0.1...26.1.2)

---
updated-dependencies:
- dependency-name: pip
  dependency-version: 26.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 10, 2026
@github-actions

Copy link
Copy Markdown
Contributor

❌ Some test workflows did not match expectations

12 passed, 1 failed

Test Name Expected Actual Bandit pip-audit Result
01 requirements · flat · clean success success
02 requirements · src/ · bandit HIGH failure failure B105, B404, B602
03 requirements · src/+scripts/ · bandit HIGH + pip-audit failure failure B105, B404, B602 cryptography, idna, requests, urllib3
04 uv · flat · clean success success
05 uv · src/ · pip-audit vuln failure failure idna, requests, urllib3
06 uv · src/+scripts/ · bandit MEDIUM failure failure B324, B506
07 poetry · flat · clean success success
08 poetry · src/ · bandit MEDIUM + pip-audit failure failure B105, B324 cryptography, idna, requests, urllib3
09 pipenv · flat · clean success failure idna
10 pipenv · src/+scripts/ · bandit HIGH failure failure B404, B602
11 requirements · flat · clean (root working dir) success success
12 uv · flat · bandit-only (no pip-audit) failure failure B404, B602 disabled
14 uv · flat · low threshold (B101 assert) failure failure B101 disabled

Error details

Test 09 — pipenv · flat · clean

  • Conclusion: expected success, got failure
  • pip-audit: expected no vulns, got 2 (idna)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants