Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Excessive memory use when caching large packages #2984

Closed
wolever opened this issue Jul 20, 2015 · 41 comments · Fixed by #11143
Closed

Excessive memory use when caching large packages #2984

wolever opened this issue Jul 20, 2015 · 41 comments · Fixed by #11143
Labels
project: vendored dependency Related to a vendored dependency type: bug A confirmed bug or unintended behavior

Comments

@wolever
Copy link

wolever commented Jul 20, 2015

I'm getting a MemoryError while trying to install a large package (matplotlib) in a low memory (512mb) environment. It appears that the cause is the caching mechanism, as disabling the cache fixes the issue.

$ pip --version
pip 7.1.0 from /…/virtualenv/local/lib/python2.7/site-packages (python 2.7)
$ pip install matplotlib==1.4.3
Collecting matplotlib==1.4.3
  Downloading matplotlib-1.4.3.tar.gz (50.4MB)
    99% |████████████████████████████████| 50.4MB 20.5MB/s eta 0:00:01
Exception:
Traceback (most recent call last):
  File ".../pip/basecommand.py", line 223, in main
    status = self.run(options, args)
  File ".../pip/commands/install.py", line 282, in run
    requirement_set.prepare_files(finder)
  File ".../pip/req/req_set.py", line 334, in prepare_files
    functools.partial(self._prepare_file, finder))
  File ".../pip/req/req_set.py", line 321, in _walk_req_to_install
    more_reqs = handler(req_to_install)
  File ".../pip/req/req_set.py", line 491, in _prepare_file
    session=self.session)
  File ".../pip/download.py", line 825, in unpack_url
    session,
  File ".../pip/download.py", line 673, in unpack_http_url
    from_path, content_type = _download_http_url(link, session, temp_dir)
  File ".../pip/download.py", line 886, in _download_http_url
    _download_url(resp, link, content_file)
  File ".../pip/download.py", line 621, in _download_url
    for chunk in progress_indicator(resp_read(4096), 4096):
  File ".../pip/utils/ui.py", line 133, in iter
    for x in it:
  File ".../pip/download.py", line 586, in resp_read
    decode_content=False):
  File ".../pip/_vendor/requests/packages/urllib3/response.py", line 307, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File ".../pip/_vendor/requests/packages/urllib3/response.py", line 243, in read
    data = self._fp.read(amt)
  File ".../pip/_vendor/cachecontrol/filewrapper.py", line 54, in read
    self.__callback(self.__buf.getvalue())
  File ".../pip/_vendor/cachecontrol/controller.py", line 224, in cache_response
    self.serializer.dumps(request, response, body=body),
  File ".../pip/_vendor/cachecontrol/serialize.py", line 81, in dumps
    ).encode("utf8"),
MemoryError
$ pip install --no-cache-dir matplotlib==1.4.3
…
Successfully installed matplotlib-1.4.3
@fbender
Copy link

fbender commented May 18, 2016

Experiencing the same with basemap on a 4GB machine (Win 7):

$>pip install https://github.com/matplotlib/base
map/archive/v1.0.7rel.tar.gz
Collecting https://github.com/matplotlib/basemap/archive/v1
.0.7rel.tar.gz
  Downloading https://github.com/matplotlib/basemap/archive
/v1.0.7rel.tar.gz
     \ 131.5MB 1.3MB/sException:
Traceback (most recent call last):
  File "c:\python27\lib\site-packages\pip\basecommand.py",
line 215, in main
    status = self.run(options, args)
  File "c:\python27\lib\site-packages\pip\commands\install.
py", line 299, in run
    requirement_set.prepare_files(finder)
  File "c:\python27\lib\site-packages\pip\req\req_set.py",
line 370, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "c:\python27\lib\site-packages\pip\req\req_set.py",
line 587, in _prepare_file
    session=self.session, hashes=hashes)
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 810, in unpack_url
    hashes=hashes
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 649, in unpack_http_url
    hashes)
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 871, in _download_http_url
    _download_url(resp, link, content_file, hashes)
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 597, in _download_url
    consume(downloaded_chunks)
  File "c:\python27\lib\site-packages\pip\utils\__init__.py
", line 860, in consume
    deque(iterator, maxlen=0)
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 563, in written_chunks
    for chunk in chunks:
  File "c:\python27\lib\site-packages\pip\utils\ui.py", lin
e 139, in iter
    for x in it:
  File "c:\python27\lib\site-packages\pip\download.py", lin
e 552, in resp_read
    decode_content=False):
  File "c:\python27\lib\site-packages\pip\_vendor\requests\
packages\urllib3\response.py", line 353, in stream
    data = self.read(amt=amt, decode_content=decode_content
)
  File "c:\python27\lib\site-packages\pip\_vendor\requests\
packages\urllib3\response.py", line 310, in read
    data = self._fp.read(amt)
  File "c:\python27\lib\site-packages\pip\_vendor\cachecont
rol\filewrapper.py", line 54, in read
    self.__callback(self.__buf.getvalue())
  File "c:\python27\lib\site-packages\pip\_vendor\cachecont
rol\controller.py", line 275, in cache_response
    self.serializer.dumps(request, response, body=body),
  File "c:\python27\lib\site-packages\pip\_vendor\cachecont
rol\serialize.py", line 87, in dumps
    ).encode("utf8"),
MemoryError

@renekliment
Copy link

I can confirm this. We had this problem over at AlexaPi when installing pocketsphinx. Using the workaround for now.

renekliment added a commit to renekliment/AlexaPi that referenced this issue Nov 18, 2016
renekliment added a commit to alexa-pi/AlexaPi that referenced this issue Nov 27, 2016
* modularized and generalized, cleanup

* config: renamed ProductID to Device_Type_ID

* support for Arch Linux (instructions by @maso27)

* support for currently supported boards in AlexaPI (GPIO libs install, etc)

* added unit overrides for various things

* set up GPIO permissions (udev)

* use pip instead of system packaging where possible

* disabled pip cache due to pypa/pip#2984

* change default device_platform to dummy

* set device-specific config on install
@xavfernandez
Copy link
Member

xavfernandez commented Mar 24, 2017

This might be less relevant with the switch from json to msgpack in psf/cachecontrol#115 (which should be less memory consuming):

(tmp-c57a6e553d812e0) [xfernandez@xaferiba tmp-c57a6e553d812e0]$ pip -V
pip 9.0.1 from /home/xfernandez/.virtualenvs/tmp-c57a6e553d812e0/lib/python3.6/site-packages (python 3.6)
(tmp-c57a6e553d812e0) [xfernandez@xaferiba tmp-c57a6e553d812e0]$ /usr/bin/time -v pip download matplotlib --no-deps
Collecting matplotlib
  Downloading https://some.pypi/root/pypi/+f/500/8fb7ea1062dc9/matplotlib-2.0.0-1-cp36-cp36m-manylinux1_x86_64.whl (14.7MB)
    100% |████████████████████████████████| 14.7MB 108kB/s
  Saved ./matplotlib-2.0.0-1-cp36-cp36m-manylinux1_x86_64.whl
Successfully downloaded matplotlib
        Command being timed: "pip download matplotlib --no-deps"
        ...
        Maximum resident set size (kbytes): 104924
        ...

# Remove cache, downloaded file and install pip on master

(tmp-c57a6e553d812e0) [xfernandez@xaferiba tmp-c57a6e553d812e0]$ pip -V
pip 10.0.0.dev0 from /home/xfernandez/.virtualenvs/tmp-c57a6e553d812e0/lib/python3.6/site-packages (python 3.6)
(tmp-c57a6e553d812e0) [xfernandez@xaferiba tmp-c57a6e553d812e0]$ /usr/bin/time -v pip download matplotlib --no-deps
Collecting matplotlib
  Downloading https://some.pypi/root/pypi/+f/500/8fb7ea1062dc9/matplotlib-2.0.0-1-cp36-cp36m-manylinux1_x86_64.whl (14.7MB)
    100% |████████████████████████████████| 14.7MB 3.5MB/s
  Saved ./matplotlib-2.0.0-1-cp36-cp36m-manylinux1_x86_64.whl
Successfully downloaded matplotlib
        Command being timed: "pip download matplotlib --no-deps"
        ...
        Maximum resident set size (kbytes): 80384
        ...

So I guess this won't solve the issue.

The next possible thing would be to create an issue for cachecontrol:
it could catch the MemoryError, log a warning, give up on caching the response but still provide the response to requests/pip.

@pradyunsg
Copy link
Member

pradyunsg commented Oct 17, 2017

Does anyone know what the state of this is? Was a PR made of cachecontrol at some point or not? Is there something that pip can do completely on it's own about this?

@pradyunsg pradyunsg added type: bug A confirmed bug or unintended behavior S: awaiting response Waiting for a response/more information and removed S: awaiting response Waiting for a response/more information labels Mar 4, 2018
@pradyunsg
Copy link
Member

So, searching in ionrock/cachecontrol for "memoryerror" didn't have anything show up.

I have a little too much RAM on my local machine for this. Could someone try this with the latest master and confirm that this is still an issue?

@benjaoming
Copy link

benjaoming commented Aug 2, 2018

This is consistently reproducible on a Raspberry Pi 3, installing a simple 60 MB package that I made for testing it:

$ sudo pip install python-bogus-project-honeypot==1531935488.89
Collecting python-bogus-project-honeypot==1531935488.89
  Downloading https://files.pythonhosted.org/packages/73/af/f8c97c8665e43e3d2cc59af09220ccb4705557ee77cd947f98b6b6d1ca3d/python_bogus_project_honeypot-1531935488.89-py2.py3-none-any.whl (61.9MB)
    99% |████████████████████████████████| 61.9MB 7.4MB/s eta 0:00:01Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 353, in run
    wb.build(autobuilding=True)
  File "/usr/lib/python2.7/dist-packages/pip/wheel.py", line 749, in build
    self.requirement_set.prepare_files(self.finder)
  File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 380, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 620, in _prepare_file
    session=self.session, hashes=hashes)
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 821, in unpack_url
    hashes=hashes
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 659, in unpack_http_url
    hashes)
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 882, in _download_http_url
    _download_url(resp, link, content_file, hashes)
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 603, in _download_url
    hashes.check_against_chunks(downloaded_chunks)
  File "/usr/lib/python2.7/dist-packages/pip/utils/hashes.py", line 46, in check_against_chunks
    for chunk in chunks:
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 571, in written_chunks
    for chunk in chunks:
  File "/usr/lib/python2.7/dist-packages/pip/utils/ui.py", line 139, in iter
    for x in it:
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 560, in resp_read
    decode_content=False):
  File "/usr/share/python-wheels/urllib3-1.19.1-py2.py3-none-any.whl/urllib3/response.py", line 432, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/usr/share/python-wheels/urllib3-1.19.1-py2.py3-none-any.whl/urllib3/response.py", line 380, in read
    data = self._fp.read(amt)
  File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/filewrapper.py", line 63, in read
    self._close()
  File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/filewrapper.py", line 50, in _close
    self.__callback(self.__buf.getvalue())
  File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/controller.py", line 275, in cache_response
    self.serializer.dumps(request, response, body=body),
  File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/serialize.py", line 86, in dumps
    data, separators=(",", ":"), sort_keys=True,
  File "/usr/lib/python2.7/json/__init__.py", line 251, in dumps
    sort_keys=sort_keys, **kw).encode(obj)
  File "/usr/lib/python2.7/json/encoder.py", line 210, in encode
    return ''.join(chunks)
MemoryError

@zukunft
Copy link

zukunft commented Jan 27, 2019

Maybe I had a similar case on Kubuntu 18.10:

Collecting PySide2
Downloading https://files.pythonhosted.org/packages/9c/4e/56868d88362f63fba524abc0e000053334cadea2cebc946ea104a9c938a4/PySide2-5.12.0-5.12.0-cp27-cp27mu-manylinux1_x86_64.whl (144.0MB)
99% |████████████████████████████████| 144.0MB 119kB/s eta 0:00:01Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 353, in run
wb.build(autobuilding=True)
File "/usr/lib/python2.7/dist-packages/pip/wheel.py", line 749, in build
self.requirement_set.prepare_files(self.finder)
File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 380, in prepare_files
ignore_dependencies=self.ignore_dependencies))
File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 620, in _prepare_file
session=self.session, hashes=hashes)
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 821, in unpack_url
hashes=hashes
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 659, in unpack_http_url
hashes)
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 882, in _download_http_url
_download_url(resp, link, content_file, hashes)
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 603, in _download_url
hashes.check_against_chunks(downloaded_chunks)
File "/usr/lib/python2.7/dist-packages/pip/utils/hashes.py", line 46, in check_against_chunks
for chunk in chunks:
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 571, in written_chunks
for chunk in chunks:
File "/usr/lib/python2.7/dist-packages/pip/utils/ui.py", line 139, in iter
for x in it:
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 560, in resp_read
decode_content=False):
File "/usr/share/python-wheels/urllib3-1.22-py2.py3-none-any.whl/urllib3/response.py", line 436, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/usr/share/python-wheels/urllib3-1.22-py2.py3-none-any.whl/urllib3/response.py", line 384, in read
data = self._fp.read(amt)
File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/filewrapper.py", line 63, in read
self._close()
File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/filewrapper.py", line 50, in _close
self._callback(self._buf.getvalue())
File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/controller.py", line 275, in cache_response
self.serializer.dumps(request, response, body=body),
File "/usr/share/python-wheels/CacheControl-0.11.7-py2.py3-none-any.whl/cachecontrol/serialize.py", line 87, in dumps
).encode("utf8"),
MemoryError

@bennuttall
Copy link

I've experienced this downloading Tensorflow on Raspberry Pi, though generally only when using Python 2.

@pradyunsg
Copy link
Member

Thanks @benjaoming @zukunft and @bennuttall for the confirmation!

The next possible thing would be to create an issue for cachecontrol:
it could catch the MemoryError, log a warning, give up on caching the response but still provide the response to requests/pip.

As @xavfernandez noted earlier, this would be the way forward on this issue.

@astrojuanlu
Copy link
Contributor

Some extra information about this issue in #9678. I noticed that the peak RAM consumption ends up being ~3 times the size of the downloaded wheel.

Apart from the suggestion above of catching the MemoryError, I wonder if there's a more efficient way of doing things. It's weird to me that downloading files requires such a large amount of RAM. In any case, I acknowledge that perhaps we should continue the discussion in psf/cachecontrol#145.

@uranusjr
Copy link
Member

uranusjr commented Apr 8, 2022

Let’s try out requests-cache first, if we can keep pip’s current cache structure with it, and it solves the memory issue (or if it doesn’t, get a patch accepted in it to solve it), pip can switch to it directly.

So the first step would be to create a pip fork making the switch to test out things.

@pradyunsg
Copy link
Member

I'd be fine with dropping support for writing in the same cache format, as long as we can read from the existing cache. Even with that, I'd be fine with removing the read support after a migration period where we do a bit of publicity about this cache format change.

@pradyunsg
Copy link
Member

I would also double-check that requests-cache has the right licenses and that the requests-cache maintainers are fine with the constraints that come with being vendored in pip (see pygments/pygments#1953 for example).

@itamarst
Copy link
Contributor

itamarst commented Apr 11, 2022

Thanks. Here's my todo list based on the above. I'll fill it in and/or expand as I learn more.

Preliminary screening:

  • Is the license OK: BSD 2-clause, should be fine (https://github.com/reclosedev/requests-cache/blob/master/LICENSE)
  • Are the dependencies' licenses OK
    • attrs: MIT
    • cattrs: MIT
    • url-normalize: MIT
    • appdirs: MIT
    • typing_extensions: PSF
  • X Are there too many dependencies... arguably yes, that's 5 extra dependencies (assuming CacheControl being swapped for requests-cache doesn't change number of dependencies, and we still need msgpack for backwards compat).
  • X Does the library actually use less memory: looks like at least some of the same design problems, e.g. it reads the whole response into memory. Having measured it, hand wavily memory usage for download file of size N is O(2*N).

Requirements for switching

  • Supports current format
  • Sign-off from project ala pygments ticket linked above
  • Open PR that does the switch

@pfmoore
Copy link
Member

pfmoore commented Apr 11, 2022

One other question, does this lock us into requests as a http backend? We've had discussions on possibly switching to another backend such as httpx, or using urllib3 directly. Would using a requests plugin here make this harder? (And do we care? I'm not sure what the current feeling is about making such a change).

@itamarst
Copy link
Contributor

itamarst commented Apr 11, 2022

requests-cache is very specific to requests, as is CacheControl.

There are other caching libraries for other frameworks, e.g. https://github.com/JWCook/aiohttp-client-cache for aiohttp (based on requests-cache), https://github.com/johtso/httpx-caching for httpx (based on CacheControl).

@itamarst
Copy link
Contributor

Having done the initial research above on requests-cache, now leaning towards a fork of CacheControl as a better solution. At a minimum, assuming requests-cache memory usage can be fixed, it's tradeoff between having a bunch more dependencies vs. having something you control.

@itamarst
Copy link
Contributor

My PR ended up getting merged into CacheControl just now, so maybe "just keep using it" will be an option.

@itamarst
Copy link
Contributor

And now there's a release! So will start work soon. Before that, I've been thinking about backwards compatibility. Two variations:

  1. Lose access to old data.
  2. Access old data (this seems to be what you want?). This has two variations:
    1. Keep old data around, at cost of duplication.
    2. Clear old data when matching new data is downloaded.

Since multiple versions of pip might be run in the same user environment, 2.i is better than 2.ii.

Additionally, old data and new data should never mix, to prevent breakage.

Finally, a transition across caching libraries or major versions is probably handled by pip doing the backwards compatibility layer, which probably mean vendoring both for a while. CacheControl's latest version in fact now has two storage backends, old format and new format, so that's how I'll do it with just a single version.

Thus, I propose a versioned cache, with the current cache being v1, and the new one being v2. The new one will be in ~/.cache/pip/http-v2 so as to prevent conflicts with the current version. A mere http is presumed to be v1.

Does this all sound reasonable?

@uranusjr
Copy link
Member

For Lose access to old data, would the old data just continue to exist but become essentially deadweight? I'm OK with not being able to access old data, but keeping it around feels wrong.

@pfmoore
Copy link
Member

pfmoore commented Apr 27, 2022

I agree, keeping old data around indefinitely that only older versions of pip can access/need seems wasteful. As this is only a cache, I'd prefer to simply switch over at some point and remove the old cache. I just did pip cache info and apparently I currently have a 1GB HTTP cache. That's a lot of space to simply write off as "keep it around just in case".

It's a shame CacheControl doesn't provide a mechanism to migrate the old cache to the new format, but that's their choice, I guess. Have you asked them how they expect people to upgrade to the new format?

Also, if we have v1 and v2 caches simultaneously, pip cache will need changes (pip cache list will need to list both, and do we need pip cache purge to have an option to just remove the v1 cache, for example). This is a whole load of complexity which goes away if we simply switch to a v2 cache and drop the old v1 cache.

Since multiple versions of pip might be run in the same user environment, 2.i is better than 2.ii.

I don't think we need to support people using old and new versions of pip simultaneously on the same system.

Additionally, old data and new data should never mix, to prevent breakage.

Why not just continue using the old-format cache? I'm not clear from what I see here why we need to change the cache format just because CacheControl introduced a new format. If they don't offer a transition strategy, then "we keep the old format" seems a fair response to that. Or is the memory issue only fixed with the new format? In which case we abandon the old format and use the new format exclusively, because otherwise the memory issue isn't fixed.

Basically, I think we should keep things simple, and if that means people have to do extra downloads to re-populate their cache, then that's an acceptable trade-off if we want to fix this problem.

@itamarst
Copy link
Contributor

I wrote the new CacheControl storage backend, and yes, it needs to be backwards incompatible because the old format forced high memory usage (response body and headers were merged into single file that's difficult to deserialize in parts).

It doesn't do migration because I didn't think to implement it, so that's my fault, all though it's probably a pretty easy thing to add it as 3rd party library (and also different 3rd party libraries might want different policies).

I don't think "just migrate from v1 to v2 and wipe v1" is necessarily the right thing to do. It's possible for a user to have different versions of pip at the same time on the same machine. E.g. system pip is version with cache v1, and then you do virtualenv with upgraded pip and now you're on cache v2 when using that virtualenv. And you still have old virtualenv with v1 cache. So nicest thing to do is not delete v1 cache, and have it co-exist with v2 cache, at least for a while.

The easiest thing to do is have newer pip ignore v1 cache altogether. This will mean extra downloads for the first few usages, as a downside, but it's simple and guarantees not-high memory usage, and won't break v1 compat.

@pfmoore
Copy link
Member

pfmoore commented Apr 27, 2022

The easiest thing to do is have newer pip ignore v1 cache altogether.

So how does someone (a) find out that they have a bunch of unused data left behind from an older pip, and (b) clear it out (without also clearing their new cache)?

Cluttering my PC with old, undocumented, files that I don't know if it's safe to remove is a classic problem of commercial "bloatware", and I'm very reluctant to go down that route1 with pip.

Footnotes

  1. Any more than we already have 🙁

@itamarst
Copy link
Contributor

Some options, presumably there are more:

  1. New command, pip cache purge-old-cache or some other better name.
  2. New argument, pip cache purge --max-size=1GB. This would purge the least-recently-used files from all caches, using the access time (atime on linux) file attributes.
  3. After a year or two of supporting v2 cache, pip switches to "wipe v1 cache" behavior.

Or, decide you're OK with new version of pip wiping cache for old versions of pip. Which is annoying because it costs bandwidth and download time for people who switch back and forth between versions of pip, but isn't otherwise harmful I think.

@pfmoore
Copy link
Member

pfmoore commented Apr 27, 2022

I guess we can wait until someone writes a PR to discuss the details. Now that it's more than simply "vendor the new CacheControl version", someone will have to write that PR, I guess.

I assume that if we do just vendor the new version, the upgrade will be backward compatible? We don't just get "start using the new storage and the old storage gets left behind and ignored" behaviour by default? (Because if we do, that seems like CacheControl doesn't have very good compatibility policies 🙁)

Anyway, I've now said way more on this than is justified by my actual level of concern over what we do here, so I'll leave it at that 🙂

@itamarst
Copy link
Contributor

I will try to write a PR.

mergify bot pushed a commit to aws/jsii that referenced this issue Oct 16, 2023
…k/test/generated-code (#4296)

Bumps [pip](https://github.com/pypa/pip) from 23.2.1 to 23.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines &lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) &lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) &lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) &lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) &lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) &lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as long
as the package providing the extra(s) is built with values normalized according
to the standard. Note, however, that this <em>does not</em> solve cases where the
package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) &lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) &lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) &lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) &lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) &lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message: &quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) &lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) &lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) &lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) &lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (<code>[#2984](pypa/pip#2984) &lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a> Reclassify news fragment</li>
<li><a href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from sbidoul/readact-collecting-url</li>
<li><a href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from edmorley/patch-1</li>
<li><a href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a> Redact URLs in Collecting... logs</li>
<li><a href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a> Correct issue number for NEWS entry added by <a href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a> Upgrade urllib3 to 1.26.17 (<a href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a> Update &quot;Running Tests&quot; documentation (<a href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2.1...23.3">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.2.1&new-version=23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
mergify bot pushed a commit to aws/jsii that referenced this issue Oct 16, 2023
…s/@jsii/python-runtime (#4295)

Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines &lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) &lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) &lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) &lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) &lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) &lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as long
as the package providing the extra(s) is built with values normalized according
to the standard. Note, however, that this <em>does not</em> solve cases where the
package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) &lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) &lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) &lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) &lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) &lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message: &quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) &lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) &lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) &lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) &lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (<code>[#2984](pypa/pip#2984) &lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a> Reclassify news fragment</li>
<li><a href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from sbidoul/readact-collecting-url</li>
<li><a href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from edmorley/patch-1</li>
<li><a href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a> Redact URLs in Collecting... logs</li>
<li><a href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a> Correct issue number for NEWS entry added by <a href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a> Upgrade urllib3 to 1.26.17 (<a href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a> Update &quot;Running Tests&quot; documentation (<a href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2...23.3">compare view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Oct 16, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.2.1 to 23.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines &lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) &lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) &lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) &lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) &lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) &lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as long
as the package providing the extra(s) is built with values normalized according
to the standard. Note, however, that this <em>does not</em> solve cases where the
package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) &lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) &lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) &lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) &lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) &lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message: &quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) &lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) &lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) &lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) &lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (<code>[#2984](pypa/pip#2984) &lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a> Reclassify news fragment</li>
<li><a href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from sbidoul/readact-collecting-url</li>
<li><a href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from edmorley/patch-1</li>
<li><a href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a> Redact URLs in Collecting... logs</li>
<li><a href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a> Correct issue number for NEWS entry added by <a href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a> Upgrade urllib3 to 1.26.17 (<a href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a> Update &quot;Running Tests&quot; documentation (<a href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2.1...23.3">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.2.1&new-version=23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Oct 16, 2023
Bumps [pip](https://github.com/pypa/pip) from 23.2.1 to 23.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines &lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (<code>[#12175](pypa/pip#12175) &lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base package. (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x faster. (<code>[#12204](pypa/pip#12204) &lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI overriding options. (<code>[#12215](pypa/pip#12215) &lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report (<code>--report</code>) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:<code>592</code>. (<code>[#12224](pypa/pip#12224) &lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning instead). (<code>[#11394](pypa/pip#11394) &lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as long
as the package providing the extra(s) is built with values normalized according
to the standard. Note, however, that this <em>does not</em> solve cases where the
package itself contains unnormalized extra values in the metadata. (<code>[#11649](pypa/pip#11649) &lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata is present. (<code>[#11847](pypa/pip#11847) &lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report (<code>--report</code>). (<code>[#11924](pypa/pip#11924) &lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from non-vendored code. (<code>[#12005](pypa/pip#12005) &lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra. (<code>[#12095](pypa/pip#12095) &lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh (<code>[#12166](pypa/pip#12166) &lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of <code>shutil.rmtree()</code> in Python 3.12. (<code>[#12187](pypa/pip#12187) &lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message: &quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (<code>[#12225](pypa/pip#12225) &lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than digits and dots. (<code>[#12280](pypa/pip#12280) &lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify references with Mercurial. (<code>[#12306](pypa/pip#12306) &lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places. (<code>[#12350](pypa/pip#12350) &lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (<code>[#2984](pypa/pip#2984) &lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a> Reclassify news fragment</li>
<li><a href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from sbidoul/readact-collecting-url</li>
<li><a href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from edmorley/patch-1</li>
<li><a href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a> Redact URLs in Collecting... logs</li>
<li><a href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a> Correct issue number for NEWS entry added by <a href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a> Upgrade urllib3 to 1.26.17 (<a href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a> Update &quot;Running Tests&quot; documentation (<a href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a> Merge pull request <a href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/23.2.1...23.3">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=23.2.1&new-version=23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
github-actions bot pushed a commit to bacalhau-project/bacalhau that referenced this issue Nov 6, 2023
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines
&lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security
policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful
when pip detected OpenSSL older than 1.0.1, but the current pip does not
support any Python version supporting such old OpenSSL versions.
(<code>[#12175](pypa/pip#12175)
&lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base
package. (<code>[#11924](pypa/pip#11924)
&lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x
faster. (<code>[#12204](pypa/pip#12204)
&lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI
overriding options.
(<code>[#12215](pypa/pip#12215)
&lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report
(<code>--report</code>) to indicate whether the requirement was yanked
from the index, but was still selected by pip conform to
:pep:<code>592</code>.
(<code>[#12224](pypa/pip#12224)
&lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning
instead). (<code>[#11394](pypa/pip#11394)
&lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package
metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as
long
as the package providing the extra(s) is built with values normalized
according
to the standard. Note, however, that this <em>does not</em> solve cases
where the
package itself contains unnormalized extra values in the metadata.
(<code>[#11649](pypa/pip#11649)
&lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata
is present. (<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report
(<code>--report</code>).
(<code>[#11924](pypa/pip#11924)
&lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from
non-vendored code.
(<code>[#12005](pypa/pip#12005)
&lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra.
(<code>[#12095](pypa/pip#12095)
&lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh
(<code>[#12166](pypa/pip#12166)
&lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of
<code>shutil.rmtree()</code> in Python 3.12.
(<code>[#12187](pypa/pip#12187)
&lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message:
&quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked
versions conform PEP 592. The yanked versions (if any) will be mentioned
in a separate error message.
(<code>[#12225](pypa/pip#12225)
&lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than
digits and dots.
(<code>[#12280](pypa/pip#12280)
&lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify
references with Mercurial.
(<code>[#12306](pypa/pip#12306)
&lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places.
(<code>[#12350](pypa/pip#12350)
&lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there
is a new on-disk cache format stored in a new directory
($PIP_CACHE_DIR/http-v2).
(<code>[#2984](pypa/pip#2984)
&lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a>
Reclassify news fragment</li>
<li><a
href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from
sbidoul/readact-collecting-url</li>
<li><a
href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from
edmorley/patch-1</li>
<li><a
href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a>
Redact URLs in Collecting... logs</li>
<li><a
href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a>
Correct issue number for NEWS entry added by <a
href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a
href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a>
Upgrade urllib3 to 1.26.17 (<a
href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a>
Update &quot;Running Tests&quot; documentation (<a
href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from
sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/22.3.1...23.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.3.1&new-version=23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/bacalhau-project/bacalhau/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions bot pushed a commit to bacalhau-project/bacalhau that referenced this issue Nov 6, 2023
Bumps [pip](https://github.com/pypa/pip) from 22.3.1 to 23.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>23.3 (2023-10-15)</h1>
<h2>Process</h2>
<ul>
<li>Added reference to <code>vulnerability reporting guidelines
&lt;https://www.python.org/dev/security/&gt;</code>_ to pip's security
policy.</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Drop a fallback to using SecureTransport on macOS. It was useful
when pip detected OpenSSL older than 1.0.1, but the current pip does not
support any Python version supporting such old OpenSSL versions.
(<code>[#12175](pypa/pip#12175)
&lt;https://github.com/pypa/pip/issues/12175&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Improve extras resolution for multiple constraints on same base
package. (<code>[#11924](pypa/pip#11924)
&lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Improve use of datastructures to make candidate selection 1.6x
faster. (<code>[#12204](pypa/pip#12204)
&lt;https://github.com/pypa/pip/issues/12204&gt;</code>_)</li>
<li>Allow <code>pip install --dry-run</code> to use platform and ABI
overriding options.
(<code>[#12215](pypa/pip#12215)
&lt;https://github.com/pypa/pip/issues/12215&gt;</code>_)</li>
<li>Add <code>is_yanked</code> boolean entry to the installation report
(<code>--report</code>) to indicate whether the requirement was yanked
from the index, but was still selected by pip conform to
:pep:<code>592</code>.
(<code>[#12224](pypa/pip#12224)
&lt;https://github.com/pypa/pip/issues/12224&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Ignore errors in temporary directory cleanup (show a warning
instead). (<code>[#11394](pypa/pip#11394)
&lt;https://github.com/pypa/pip/issues/11394&gt;</code>_)</li>
<li>Normalize extras according to :pep:<code>685</code> from package
metadata in the resolver
for comparison. This ensures extras are correctly compared and merged as
long
as the package providing the extra(s) is built with values normalized
according
to the standard. Note, however, that this <em>does not</em> solve cases
where the
package itself contains unnormalized extra values in the metadata.
(<code>[#11649](pypa/pip#11649)
&lt;https://github.com/pypa/pip/issues/11649&gt;</code>_)</li>
<li>Prevent downloading sdists twice when :pep:<code>658</code> metadata
is present. (<code>[#11847](pypa/pip#11847)
&lt;https://github.com/pypa/pip/issues/11847&gt;</code>_)</li>
<li>Include all requested extras in the install report
(<code>--report</code>).
(<code>[#11924](pypa/pip#11924)
&lt;https://github.com/pypa/pip/issues/11924&gt;</code>_)</li>
<li>Removed uses of <code>datetime.datetime.utcnow</code> from
non-vendored code.
(<code>[#12005](pypa/pip#12005)
&lt;https://github.com/pypa/pip/issues/12005&gt;</code>_)</li>
<li>Consistently report whether a dependency comes from an extra.
(<code>[#12095](pypa/pip#12095)
&lt;https://github.com/pypa/pip/issues/12095&gt;</code>_)</li>
<li>Fix completion script for zsh
(<code>[#12166](pypa/pip#12166)
&lt;https://github.com/pypa/pip/issues/12166&gt;</code>_)</li>
<li>Fix improper handling of the new onexc argument of
<code>shutil.rmtree()</code> in Python 3.12.
(<code>[#12187](pypa/pip#12187)
&lt;https://github.com/pypa/pip/issues/12187&gt;</code>_)</li>
<li>Filter out yanked links from the available versions error message:
&quot;(from versions: 1.0, 2.0, 3.0)&quot; will not contain yanked
versions conform PEP 592. The yanked versions (if any) will be mentioned
in a separate error message.
(<code>[#12225](pypa/pip#12225)
&lt;https://github.com/pypa/pip/issues/12225&gt;</code>_)</li>
<li>Fix crash when the git version number contains something else than
digits and dots.
(<code>[#12280](pypa/pip#12280)
&lt;https://github.com/pypa/pip/issues/12280&gt;</code>_)</li>
<li>Use <code>-r=...</code> instead of <code>-r ...</code> to specify
references with Mercurial.
(<code>[#12306](pypa/pip#12306)
&lt;https://github.com/pypa/pip/issues/12306&gt;</code>_)</li>
<li>Redact password from URLs in some additional places.
(<code>[#12350](pypa/pip#12350)
&lt;https://github.com/pypa/pip/issues/12350&gt;</code>_)</li>
<li>pip uses less memory when caching large packages. As a result, there
is a new on-disk cache format stored in a new directory
($PIP_CACHE_DIR/http-v2).
(<code>[#2984](pypa/pip#2984)
&lt;https://github.com/pypa/pip/issues/2984&gt;</code>_)</li>
</ul>
<h2>Vendored Libraries</h2>
<ul>
<li>Upgrade certifi to 2023.7.22</li>
<li>Add truststore 0.8.0</li>
<li>Upgrade urllib3 to 1.26.17</li>
</ul>
<p>Improved Documentation</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/e3dc91dad93a020b3034a87ebe59027f63370fe8"><code>e3dc91d</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/3e85558b10722598fb3353126e2f19979f7cf7dd"><code>3e85558</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/8d0278771c7325b04f02cb073c8ef02827cbeb93"><code>8d02787</code></a>
Reclassify news fragment</li>
<li><a
href="https://github.com/pypa/pip/commit/f6ecf406c3929b3127ddb480ef4350542d102338"><code>f6ecf40</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12350">#12350</a> from
sbidoul/readact-collecting-url</li>
<li><a
href="https://github.com/pypa/pip/commit/306086513bd1a6500126057492ee8b0f9a2e79dd"><code>3060865</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12335">#12335</a> from
edmorley/patch-1</li>
<li><a
href="https://github.com/pypa/pip/commit/8f0ed32413daa411a728b50cd7776b9c02b010d5"><code>8f0ed32</code></a>
Redact URLs in Collecting... logs</li>
<li><a
href="https://github.com/pypa/pip/commit/d1659b87e46abd0a2dcc74f2160dd52e6190e13b"><code>d1659b8</code></a>
Correct issue number for NEWS entry added by <a
href="https://redirect.github.com/pypa/pip/issues/12197">#12197</a></li>
<li><a
href="https://github.com/pypa/pip/commit/2333ef3b53a71fb7acc9e76d6ff90409576b2250"><code>2333ef3</code></a>
Upgrade urllib3 to 1.26.17 (<a
href="https://redirect.github.com/pypa/pip/issues/12343">#12343</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/496b268c1b9ce3466c08eb4819e5460a943d1793"><code>496b268</code></a>
Update &quot;Running Tests&quot; documentation (<a
href="https://redirect.github.com/pypa/pip/issues/12334">#12334</a>)</li>
<li><a
href="https://github.com/pypa/pip/commit/d1f0981cb2af3c72ff871b54a8a98581ccb2890a"><code>d1f0981</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/12331">#12331</a> from
sbidoul/update-egg-deprecation-message</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/22.3.1...23.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.3.1&new-version=23.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/bacalhau-project/bacalhau/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
project: vendored dependency Related to a vendored dependency type: bug A confirmed bug or unintended behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

14 participants