Scheduled daily dependency update on Sunday

[pyup-bot]

Update pip from 24.3.1 to 26.1.

Changelog

26.1

=================

Deprecations and Removals
-------------------------

- Drop support for Python 3.9. (`13795 <https://github.com/pypa/pip/issues/13795>`_)

Features
--------

- Add experimental support to read requirements from standardized pylock.toml files (``-r pylock.toml``). (`13876 <https://github.com/pypa/pip/issues/13876>`_)
- Allow ``--uploaded-prior-to`` to accept a duration in days (e.g., ``P3D`` for 3 days ago). (`13674 <https://github.com/pypa/pip/issues/13674>`_)

Enhancements
------------

- Speed up dependency resolution when there are complex conflicts. (`13859 <https://github.com/pypa/pip/issues/13859>`_)
- Reduce memory usage when resolving large dependency trees. (`13843 <https://github.com/pypa/pip/issues/13843>`_)
- Emit a deprecation warning when pip imports an unexpected module after
installation of a distribution has started. (`13912 <https://github.com/pypa/pip/issues/13912>`_)
- Allow URL constraints to apply to requirements with extras. (`12018 <https://github.com/pypa/pip/issues/12018>`_)
- Allow unpinned requirements to use hashes from constraints. Constraints
like ``{name}=={version} --hash=...`` feeds into hash verification for
a corresponding requirement. (`9243 <https://github.com/pypa/pip/issues/9243>`_)
- Improve conflict reports that involve direct URLs. (`13932 <https://github.com/pypa/pip/issues/13932>`_)
- Show all errors instead of first error for faulty ``dependency_groups`` definitions. (`13917 <https://github.com/pypa/pip/issues/13917>`_)

Bug Fixes
---------

- Fix recovery hint for missing RECORD file to use ``--ignore-installed``
instead of ``--force-reinstall``. (`12645 <https://github.com/pypa/pip/issues/12645>`_)
- Fix misleading error message when a constraint file cannot be opened. (`13226 <https://github.com/pypa/pip/issues/13226>`_)
- Show the filename rather than the full URL when downloading files from non-PyPI indexes in non-verbose mode. (`13494 <https://github.com/pypa/pip/issues/13494>`_)
- Remove the adjacent ``__pycache__`` directory when a .py file is removed. (`13725 <https://github.com/pypa/pip/issues/13725>`_)
- Force UTF-8 encoding for :pep:`723` metadata. (`13861 <https://github.com/pypa/pip/issues/13861>`_)
- Minor performance improvement when filtering candidates during resolution. (`13916 <https://github.com/pypa/pip/issues/13916>`_)
- Fix a hang on Windows when stdout is closed during verbose output. (`13927 <https://github.com/pypa/pip/issues/13927>`_)
- Common path prefixes are determined by path segment, not character by character. (`13847 <https://github.com/pypa/pip/issues/13847>`_)
- Fix installing ``.tar.gz`` source distributions that look like a zip file. (`13867 <https://github.com/pypa/pip/issues/13867>`_)

Vendored Libraries
------------------

- Upgrade certifi to 2026.2.25
- Upgrade packaging to 26.2
- Upgrade requests to 2.33.1
- Upgrade tomli to 2.3.1
- Upgrade urllib3 to 2.6.3
- Use ``packaging`` 26.1's new ``dependency_groups`` module, removing ``dependency-groups`` vendor.
- Use ``packaging.direct_url`` to manipulate ``direct_url.json``. Besides difference
in validation error messages, there should be no user-visible change.

Process
-------

- Add an explicit AI policy.

26.0.1

===================

Bug Fixes
---------

- Fix ``--pre`` not being respected from the command line when a requirement file
includes an option e.g. ``-extra-index-url``. (`13788 <https://github.com/pypa/pip/issues/13788>`_)

26.0

=================

Deprecations and Removals
-------------------------

- Remove support for non-bare project names in egg fragments. Affected users should use
the `Direct URL requirement syntax <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references>`_. (`13157 <https://github.com/pypa/pip/issues/13157>`_)

Features
--------

- Display pip's command-line help in colour, if possible. (`12134 <https://github.com/pypa/pip/issues/12134>`_)
- Support installing dependencies declared with inline script metadata
(:pep:`723`) with ``--requirements-from-script``. (`12891 <https://github.com/pypa/pip/issues/12891>`_)
- Add ``--all-releases`` and ``--only-final`` options to control pre-release
and final release selection during package installation. (`13221 <https://github.com/pypa/pip/issues/13221>`_)
- Add ``--uploaded-prior-to`` option to only consider packages uploaded prior to
a given datetime when the ``upload-time`` field is available from a remote index. (`13625 <https://github.com/pypa/pip/issues/13625>`_)
- Add ``--use-feature inprocess-build-deps`` to request that build dependencies are installed
within the same pip install process. This new mechanism is faster, supports ``--no-clean``
and ``--no-cache-dir`` reliably, and supports prompting for authentication.

Enabling this feature will also enable ``--use-feature build-constraints``. This feature will
become the default in a future pip version. (`9081 <https://github.com/pypa/pip/issues/9081>`_)
- ``pip cache purge`` and ``pip cache remove`` now clean up empty directories
and legacy files left by older pip versions. (`9058 <https://github.com/pypa/pip/issues/9058>`_)

Bug Fixes
---------

- Fix selecting pre-release versions when only pre-releases match.
For example, ``package>1.0`` with versions ``1.0, 2.0rc1`` now installs
``2.0rc1`` instead of failing. (`13746 <https://github.com/pypa/pip/issues/13746>`_)
- Revisions in version control URLs now must be percent-encoded.
For example, use ``git+https://example.com/repo.gitissue%231`` to specify the branch ``issue#1``.
If you previously used a branch name containing a ``%`` character in a version control URL, you now need to replace it with ``%25`` to ensure correct percent-encoding. (`13407 <https://github.com/pypa/pip/issues/13407>`_)
- Preserve original casing when a path is displayed. (`6823 <https://github.com/pypa/pip/issues/6823>`_)
- Fix bash completion when the ``$IFS`` variable has been modified from its default. (`13555 <https://github.com/pypa/pip/issues/13555>`_)
- Precompute Python requirements on each candidate, reducing time of long resolutions. (`13656 <https://github.com/pypa/pip/issues/13656>`_)
- Skip redundant work converting version objects to strings when using the
``importlib.metadata`` backend. (`13660 <https://github.com/pypa/pip/issues/13660>`_)
- Fix ``pip index versions`` to honor only-binary/no-binary options. (`13682 <https://github.com/pypa/pip/issues/13682>`_)
- Fix fallthrough logic for options, allowing overriding global options with
defaults from user config. (`13703 <https://github.com/pypa/pip/issues/13703>`_)
- Use a path-segment prefix comparison, not char-by-char. (`13777 <https://github.com/pypa/pip/issues/13777>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.4
- Upgrade certifi to 2026.1.4
- Upgrade idna to 3.11
- Upgrade packaging to 26.0
- Upgrade platformdirs to 4.5.1

25.3

=================

Deprecations and Removals
-------------------------

- Remove support for the legacy ``setup.py develop`` editable method in setuptools
editable installs; setuptools >= 64 is now required. (`11457 <https://github.com/pypa/pip/issues/11457>`_)
- Remove the deprecated ``--global-option`` and ``--build-option``.
``--config-setting`` is now the only way to pass options to the build backend. (`11859 <https://github.com/pypa/pip/issues/11859>`_)
- Deprecate the ``PIP_CONSTRAINT`` environment variable for specifying build
constraints.

Use the ``--build-constraint`` option or the ``PIP_BUILD_CONSTRAINT`` environment variable
instead. When build constraints are used, ``PIP_CONSTRAINT`` no longer affects isolated build
environments. To enable this behavior without specifying any build constraints, use
``--use-feature=build-constraint``. (`13534 <https://github.com/pypa/pip/issues/13534>`_)
- Remove support for non-standard legacy wheel filenames. (`13581 <https://github.com/pypa/pip/issues/13581>`_)
- Remove support for the deprecated ``setup.py bdist_wheel`` mechanism. Consequently,
``--use-pep517`` is now always on, and ``--no-use-pep517`` has been removed. (`6334 <https://github.com/pypa/pip/issues/6334>`_)

Features
--------

- When :pep:`658` metadata is available, full distribution files are no longer downloaded when using ``pip lock`` or ``pip install --dry-run``. (`12603 <https://github.com/pypa/pip/issues/12603>`_)
- Add support for installing an editable requirement written as a Direct URL (``PackageName  URL``). (`13495 <https://github.com/pypa/pip/issues/13495>`_)
- Add support for build constraints via the ``--build-constraint`` option. This
allows constraining the versions of packages used during the build process
(e.g., setuptools) without affecting the final installation. (`13534 <https://github.com/pypa/pip/issues/13534>`_)
- On ``ResolutionImpossible`` errors, include a note about causes with no candidates. (`13588 <https://github.com/pypa/pip/issues/13588>`_)
- Building pip itself from source now uses flit-core instead of setuptools.
This does not affect how pip installs or builds packages you use. (`13473 <https://github.com/pypa/pip/issues/13473>`_)

Bug Fixes
---------

- Handle malformed ``Version`` metadata entries and
show a sensible error message instead of crashing. (`13443 <https://github.com/pypa/pip/issues/13443>`_)
- Permit spaces between a filepath and extras in an install requirement. (`13523 <https://github.com/pypa/pip/issues/13523>`_)
- Ensure the self-check files in the cache have the same permissions as the rest of the cache. (`13528 <https://github.com/pypa/pip/issues/13528>`_)
- Avoid concurrency issues and improve performance when caching locally built wheels,
especially when the temporary build directory is on a different filesystem than the cache.
The wheel directory passed to the build backend is now a temporary subdirectory inside
the cache directory. (`13540 <https://github.com/pypa/pip/issues/13540>`_)
- Include relevant user-supplied constraints in logs when reporting dependency conflicts. (`13545 <https://github.com/pypa/pip/issues/13545>`_)
- Fix a regression in configuration parsing that was turning a single value
into a list and thus leading to a validation error. (`13548 <https://github.com/pypa/pip/issues/13548>`_)
- For Python versions that do not support :pep:`706`, pip will now raise an installation error for a
source distribution when it includes a symlink that points outside the source distribution archive. (`13550 <https://github.com/pypa/pip/issues/13550>`_)
- Prevent ``--user`` installs if ``site.ENABLE_USER_SITE`` is set to ``False``. (`8794 <https://github.com/pypa/pip/issues/8794>`_)


Vendored Libraries
------------------

- Upgrade certifi to 2025.10.5
- Upgrade msgpack to 1.1.2
- Upgrade platformdirs to 4.5.0
- Upgrade requests to 2.32.5
- Upgrade resolvelib to 1.2.1
- Upgrade rich to 14.2.0
- Upgrade tomli to 2.3.0
- Upgrade truststore to 0.10.4

25.2

=================

Features
--------

- Declare support for Python 3.14 (`13506 <https://github.com/pypa/pip/issues/13506>`_)
- Automatic download resumption and retrying is enabled by default. (`13464 <https://github.com/pypa/pip/issues/13464>`_)
- Requires-Python error message displays version clauses in numerical order. (`13367 <https://github.com/pypa/pip/issues/13367>`_)
- Minor performance improvement getting the order to install a very large number of interdependent packages. (`13424 <https://github.com/pypa/pip/issues/13424>`_)
- Show time taken instead of ``eta 0:00:00`` at download completion. (`13483 <https://github.com/pypa/pip/issues/13483>`_)
- Speed up small CLI tools by removing ``import re`` from the console
script executable template. (`13165 <https://github.com/pypa/pip/issues/13165>`_)
- Remove warning when cloning from a Git reference that does not look like a commit hash. (`12283 <https://github.com/pypa/pip/issues/12283>`_)

Bug Fixes
---------

- ``pip config debug`` now correctly separates options as set by the different files
at the same level. (`12099 <https://github.com/pypa/pip/issues/12099>`_)
- Ensure truststore feature remains active even when a proxy is also in use. (`13343 <https://github.com/pypa/pip/issues/13343>`_)
- Include sub-commands in tab completion. (`13140 <https://github.com/pypa/pip/issues/13140>`_)
- ``pip list`` with the ``json`` or ``freeze`` format enabled will no longer
crash when encountering a package with an invalid version. (`13345 <https://github.com/pypa/pip/issues/13345>`_)
- Provide a hint if a system error is raised involving long filenames or path segments on Windows. (`13346 <https://github.com/pypa/pip/issues/13346>`_)
- Resumed downloads are saved to the HTTP cache like any other normal download. (`13441 <https://github.com/pypa/pip/issues/13441>`_)
- Configured verbosity is consistently forwarded while calling Git during
VCS operations. (`13329 <https://github.com/pypa/pip/issues/13329>`_)
- Suppress the progress bar, when running with ``--log`` and ``--quiet``.

Consequently, a new ``auto`` mode for ``--progress-bar`` has been added.
``auto`` will enable progress bars unless suppressed by ``--quiet``,
while ``on`` will always enable progress bars. (`10915 <https://github.com/pypa/pip/issues/10915>`_)
- Fix normalization of local URLs with non-``file`` schemes. (`13509 <https://github.com/pypa/pip/issues/13509>`_)
- Fix normalization of local file URLs on Windows in newer Python versions. (`13510 <https://github.com/pypa/pip/issues/13510>`_)
- Fix remaining test failures in Python 3.14 by adjusting ``path_to_url`` and similar functions. (`13423 <https://github.com/pypa/pip/issues/13423>`_)
- Fix missing ``network`` test markings, making the suite pass in offline
environments again. (`13378 <https://github.com/pypa/pip/issues/13378>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.3
- Upgrade certifi to 2025.7.14
- Upgrade distlib to 0.4.0
- Upgrade msgpack to 1.1.1
- Upgrade platformdirs to 4.3.8
- Upgrade pygments to 2.19.2
- Upgrade requests to 2.32.4
- Upgrade resolvelib to 1.2.0
- Upgrade rich to 14.1.0
- Remove vendored typing-extensions.

Process
-------

- pip's own licensing metadata now follows :pep:`639`.
In addition, the licenses of pip's vendored dependencies are now included
in the ``License-File`` metadata field and in the wheel.

25.1.1

===================

Bug Fixes
---------

- Fix ``req.source_dir`` AssertionError when using the legacy resolver. (`13353 <https://github.com/pypa/pip/issues/13353>`_)
- Fix crash on Python 3.9.6 and lower when pip failed to compile a Python module
during installation. (`13364 <https://github.com/pypa/pip/issues/13364>`_)
- Names in dependency group includes are now normalized before lookup, which
fixes incorrect ``Dependency group '...' not found`` errors. (`13372 <https://github.com/pypa/pip/issues/13372>`_)

Vendored Libraries
------------------

- Fix issues with using tomllib from the stdlib if available, rather than tomli
- Upgrade dependency-groups to 1.3.1

25.1

=================

Deprecations and Removals
-------------------------

- Drop support for Python 3.8. (`12989 <https://github.com/pypa/pip/issues/12989>`_)
- On python 3.14+, the ``pkg_resources`` metadata backend cannot be used anymore. (`13010 <https://github.com/pypa/pip/issues/13010>`_)
- Hide ``--no-python-version-warning`` from CLI help and documentation
as it's useless since Python 2 support was removed. Despite being
formerly slated for removal, the flag will remain as a no-op to
avoid breakage. (`13303 <https://github.com/pypa/pip/issues/13303>`_)
- A warning is emitted when the deprecated ``pkg_resources`` library is used to
inspect and discover installed packages. This warning should only be visible to
users who set an undocumented environment variable to disable the default
``importlib.metadata`` backend. (`13318 <https://github.com/pypa/pip/issues/13318>`_)
- Deprecate the legacy ``setup.py bdist_wheel`` mechanism. To silence the warning,
and future-proof their setup, users should enable ``--use-pep517`` or add a
``pyproject.toml`` file to the projects they control. (`13319 <https://github.com/pypa/pip/issues/13319>`_)

Features
--------

- Suggest checking "pip config debug" in case of an InvalidProxyURL error. (`12649 <https://github.com/pypa/pip/issues/12649>`_)
- Using ``--debug`` also enables verbose logging. (`12710 <https://github.com/pypa/pip/issues/12710>`_)
- Display a transient progress bar during package installation. (`12712 <https://github.com/pypa/pip/issues/12712>`_)
- Minor performance improvement when installing packages with a large number
of dependencies by increasing the requirement string cache size. (`12873 <https://github.com/pypa/pip/issues/12873>`_)
- Add a ``--group`` option which allows installation from :pep:`735` Dependency
Groups. ``--group`` accepts arguments of the form ``group`` or
``path:group``, where the default path is ``pyproject.toml``, and installs
the named Dependency Group from the provided ``pyproject.toml`` file. (`12963 <https://github.com/pypa/pip/issues/12963>`_)
- Add support to enable resuming incomplete downloads.

Control the number of retry attempts using the ``--resume-retries`` flag. (`12991 <https://github.com/pypa/pip/issues/12991>`_)
- Use :pep:`753` "Well-known Project URLs in Metadata" normalization rules when
identifying an equivalent project URL to replace a missing ``Home-Page`` field
in ``pip show``. (`13135 <https://github.com/pypa/pip/issues/13135>`_)
- Remove ``experimental`` warning from ``pip index versions`` command. (`13188 <https://github.com/pypa/pip/issues/13188>`_)
- Add a structured ``--json`` output to ``pip index versions`` (`13194 <https://github.com/pypa/pip/issues/13194>`_)
- Add a new, *experimental*, ``pip lock`` command, implementing :pep:`751`. (`13213 <https://github.com/pypa/pip/issues/13213>`_)
- Speed up resolution by first only considering the preference of
candidates that must be required to complete the resolution. (`13253 <https://github.com/pypa/pip/issues/13253>`_)
- Improved heuristics for determining the order of dependency resolution. (`13273 <https://github.com/pypa/pip/issues/13273>`_)
- Provide hint, documentation, and link to the documentation when
resolution too deep error occurs. (`13282 <https://github.com/pypa/pip/issues/13282>`_)
- Include traceback on failure to import ``setuptools`` when ``setup.py`` is being invoked directly. (`13290 <https://github.com/pypa/pip/issues/13290>`_)
- Support for :pep:`738` Android wheels. (`13299 <https://github.com/pypa/pip/issues/13299>`_)
- Display wheel build tag in ``pip list`` columns output if set. (`5210 <https://github.com/pypa/pip/issues/5210>`_)
- Build environment dependencies are no longer compiled to bytecode during
installation for a minor performance improvement. (`7294 <https://github.com/pypa/pip/issues/7294>`_)

Bug Fixes
---------

- When using the ``importlib.metadata`` backend (the default on Python 3.11+),
``pip list`` does not show installed egg distributions more than once anymore.
Additionally, egg distributions whose parent directory was in ``sys.path`` but
the egg themselves were not in ``sys.path`` are not detected anymore. (`12308 <https://github.com/pypa/pip/issues/12308>`_)
- Disable Git and SSH prompts when ``--no-input`` is passed. (`12718 <https://github.com/pypa/pip/issues/12718>`_)
- Gracefully handle Windows registry access errors while guessing the MIME type of a file. (`12769 <https://github.com/pypa/pip/issues/12769>`_)
- Support multiple global configuration paths returned by ``platformdirs`` on MacOS. (`12903 <https://github.com/pypa/pip/issues/12903>`_)
- Resolvelib 1.1.0 fixes a known issue where pip would report a
ResolutionImpossible error even though there is a valid solution.
However, some very complex dependency resolutions that previously
resolved may resolve slower or fail with an ResolutionTooDeep error. (`13001 <https://github.com/pypa/pip/issues/13001>`_)
- Show the correct path to the interpreter also when it's a symlink in a venv in the pip upgrade prompt. (`13156 <https://github.com/pypa/pip/issues/13156>`_)
- Parse wheel filenames according to `binary distribution format specification
<https://packaging.python.org/en/latest/specifications/binary-distribution-format/#file-format>`_.
When a filename doesn't match the spec a deprecation warning is emitted and the
filename is parsed using the old method. (`13229 <https://github.com/pypa/pip/issues/13229>`_)
- While resolving dependencies prefer if any of the known requirements are
"direct", e.g. points to an explicit URL. (`13244 <https://github.com/pypa/pip/issues/13244>`_)
- When choosing a preferred requirement for resolving dependencies
do not consider a specifier with a * in it, e.g. "==1.*", to be a
pinned specifier. (`13252 <https://github.com/pypa/pip/issues/13252>`_)
- Fix a regression that causes dependencies to be checked *before* ``Requires-Python``
project metadata is checked, leading to wasted cycles when the Python version is
unsupported. (`13270 <https://github.com/pypa/pip/issues/13270>`_)
- Don't require the ``wheel`` library to be installed to use ``--no-use-pep517``, any more. (`13330 <https://github.com/pypa/pip/issues/13330>`_)
- Fix regression that suppressed errors indicating which packages were ignored
due to incompatible ``requires-python`` metadata. (`13333 <https://github.com/pypa/pip/issues/13333>`_)
- Fix fish shell completion when commandline contains multiple commands. (`9727 <https://github.com/pypa/pip/issues/9727>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.2
- Upgrade certifi to 2025.1.31
- Upgrade packaging to 25.0
- Upgrade platformdirs to 4.3.7
- Upgrade pygments to 2.19.1
- Upgrade resolvelib to 1.1.0.
- Upgrade rich to 14.0.0
- Vendor tomli-w 1.2.0
- Upgrade truststore to 0.10.1
- Upgrade typing_extensions to 4.13.2

Improved Documentation
----------------------

- Added support for building only the man pages with minimal dependencies using
the sphinx-build ``--tag man`` option. This enables distributors to generate man
pages without requiring HTML documentation dependencies. (`13168 <https://github.com/pypa/pip/issues/13168>`_)

25.0.1

===================

Bug Fixes
---------

- Fix an unsupported type annotation on Python 3.10 and earlier. (`13181 <https://github.com/pypa/pip/issues/13181>`_)
- Fix a regression where truststore would never be used while installing build dependencies. (`13186 <https://github.com/pypa/pip/issues/13186>`_)

25.0

=================

Deprecations and Removals
-------------------------

- Deprecate the ``no-python-version-warning`` flag as it has long done nothing
since Python 2 support was removed in pip 21.0. (`13154 <https://github.com/pypa/pip/issues/13154>`_)

Features
--------

- Prefer to display :pep:`639` ``License-Expression`` in ``pip show`` if metadata version is at least 2.4. (`13112 <https://github.com/pypa/pip/issues/13112>`_)
- Support :pep:`639` ``License-Expression`` and ``License-File`` metadata fields in JSON
output. ``pip inspect`` and ``pip install --report`` now emit
``license_expression`` and ``license_file`` fields in the ``metadata`` object,
if the corresponding fields are present in the installed ``METADATA`` file. (`13134 <https://github.com/pypa/pip/issues/13134>`_)
- Files in the network cache will inherit the read/write permissions of pip's cache
directory (in addition to the current user retaining read/write access). This
enables a single cache to be shared among multiple users. (`11012 <https://github.com/pypa/pip/issues/11012>`_)
- Return the size, along with the number, of files cleared on ``pip cache purge`` and ``pip cache remove`` (`12176 <https://github.com/pypa/pip/issues/12176>`_)
- Cache ``python-requires`` checks while filtering potential installation candidates. (`13128 <https://github.com/pypa/pip/issues/13128>`_)
- Optimize package collection by avoiding unnecessary URL parsing and other processing. (`13132 <https://github.com/pypa/pip/issues/13132>`_)

Bug Fixes
---------

- Reorder the encoding detection when decoding a requirements file, relying on
UTF-8 over the locale encoding by default, matching the documented behaviour.
(`12771 <https://github.com/pypa/pip/issues/12771>`_)
- The pip version self check is disabled on ``EXTERNALLY-MANAGED`` environments. (`11820 <https://github.com/pypa/pip/issues/11820>`_)
- Fix a security bug allowing a specially crafted wheel to execute code during
installation. (`13079 <https://github.com/pypa/pip/issues/13079>`_)
- The inclusion of ``packaging`` 24.2 changes how pre-release specifiers with ``<`` and ``>``
behave. Including a pre-release version with these specifiers now implies
accepting pre-releases (e.g., ``<2.0dev`` can include ``1.0rc1``). To avoid
implying pre-releases, avoid specifying them (e.g., use ``<2.0``).
The exception is ``!=``, which never implies pre-releases. (`13163 <https://github.com/pypa/pip/issues/13163>`_)
- The ``--cert`` and ``--client-cert`` command-line options are now respected while
installing build dependencies. Consequently, the private ``_PIP_STANDALONE_CERT``
environment variable is no longer used. (`5502 <https://github.com/pypa/pip/issues/5502>`_)
- The ``--proxy`` command-line option is now respected while installing build dependencies. (`6018 <https://github.com/pypa/pip/issues/6018>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.1
- Upgrade idna to 3.10
- Upgrade msgpack to 1.1.0
- Upgrade packaging to 24.2
- Upgrade platformdirs to 4.3.6
- Upgrade pyproject-hooks to 1.2.0
- Upgrade rich to 13.9.4
- Upgrade tomli to 2.2.1

Improved Documentation
----------------------

- Removed section about non-existing ``--force-keyring`` flag. (`12455 <https://github.com/pypa/pip/issues/12455>`_)

Process
-------

- Started releasing to PyPI from a GitHub Actions CI/CD workflow that implements trusted publishing and bundles :pep:`740` digital attestations.

Links

• PyPI: https://pypi.org/project/pip
• Changelog: https://data.safetycli.com/changelogs/pip/

Update pillow from 11.1.0 to 12.2.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update gkeepapi from 0.17.0 to 0.17.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/gkeepapi

Update requests from 2.32.5 to 2.33.1.

Changelog

2.33.1

-------------------

**Bugfixes**
- Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory. (7305)
- Fixed Content-Type header parsing for malformed values. (7309)
- Improved error consistency for malformed header values. (7308)

2.33.0

-------------------

**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at 7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

**Security**
- CVE-2026-25645 ``requests.utils.extract_zipped_paths`` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

**Improvements**
- Migrated to a PEP 517 build system using setuptools. (7012)

**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (7205)

**Deprecations**
- Dropped support for Python 3.9 following its end of support. (7196)

**Documentation**
- Various typo fixes and doc improvements.

Links

• PyPI: https://pypi.org/project/requests
• Changelog: https://data.safetycli.com/changelogs/requests/

[semanticdiff-com]

Review changes with  

[coderabbitai]

Warning

Rate limit exceeded

@pyup-bot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 58 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b85176d6-1cf1-449f-9605-176b0fe0d0a0

📥 Commits

Reviewing files that changed from the base of the PR and between e7901d8 and 300acaa.

📒 Files selected for processing (1)

• requirements.txt

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pyup-scheduled-update-2026-05-03

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 59 minutes and 58 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pip@​24.3.1 ⏵ 26.1		+4			-30
	pillow@​11.1.0 ⏵ 12.2.0		+22
	requests@​2.32.5 ⏵ 2.33.1	+1	+2
	gkeepapi@​0.17.0 ⏵ 0.17.1	+1

View full report

[gemini-code-assist]

Code Review

This pull request updates several dependencies in requirements.txt, including pip, pillow, gkeepapi, and requests. The review feedback highlights critical compatibility issues, noting that the updated versions of pip, pillow, and requests are incompatible with the project's current Python 3.7.3 environment and require at least Python 3.10.

[gemini-code-assist]

The updated versions of pip (26.1) and pillow (12.2.0) are incompatible with the Python 3.7.3 environment specified in the Dockerfile. According to the changelog, pip 26.1 has dropped support for Python 3.9 and below, requiring at least Python 3.10. Similarly, recent versions of pillow require Python 3.10+. This update will cause the build to fail during dependency installation unless the base image in the Dockerfile is upgraded.

[gemini-code-assist]

The update to requests 2.33.1 is incompatible with the current Python 3.7.3 base image, as this version now requires Python 3.10+. While this update is important because it addresses a security vulnerability (CVE-2026-25645), it cannot be applied without first upgrading the project's Python environment to a supported version.

[pyup-bot]

Closing this in favor of #278