Scheduled daily dependency update on Saturday

[pyup-bot]

Update pip from 24.3.1 to 25.1.1.

Changelog

25.1.1

===================

Bug Fixes
---------

- Fix ``req.source_dir`` AssertionError when using the legacy resolver. (`13353 <https://github.com/pypa/pip/issues/13353>`_)
- Fix crash on Python 3.9.6 and lower when pip failed to compile a Python module
during installation. (`13364 <https://github.com/pypa/pip/issues/13364>`_)
- Names in dependency group includes are now normalized before lookup, which
fixes incorrect ``Dependency group '...' not found`` errors. (`13372 <https://github.com/pypa/pip/issues/13372>`_)

Vendored Libraries
------------------

- Fix issues with using tomllib from the stdlib if available, rather than tomli
- Upgrade dependency-groups to 1.3.1

25.1

=================

Deprecations and Removals
-------------------------

- Drop support for Python 3.8. (`12989 <https://github.com/pypa/pip/issues/12989>`_)
- On python 3.14+, the ``pkg_resources`` metadata backend cannot be used anymore. (`13010 <https://github.com/pypa/pip/issues/13010>`_)
- Hide ``--no-python-version-warning`` from CLI help and documentation
as it's useless since Python 2 support was removed. Despite being
formerly slated for removal, the flag will remain as a no-op to
avoid breakage. (`13303 <https://github.com/pypa/pip/issues/13303>`_)
- A warning is emitted when the deprecated ``pkg_resources`` library is used to
inspect and discover installed packages. This warning should only be visible to
users who set an undocumented environment variable to disable the default
``importlib.metadata`` backend. (`13318 <https://github.com/pypa/pip/issues/13318>`_)
- Deprecate the legacy ``setup.py bdist_wheel`` mechanism. To silence the warning,
and future-proof their setup, users should enable ``--use-pep517`` or add a
``pyproject.toml`` file to the projects they control. (`13319 <https://github.com/pypa/pip/issues/13319>`_)

Features
--------

- Suggest checking "pip config debug" in case of an InvalidProxyURL error. (`12649 <https://github.com/pypa/pip/issues/12649>`_)
- Using ``--debug`` also enables verbose logging. (`12710 <https://github.com/pypa/pip/issues/12710>`_)
- Display a transient progress bar during package installation. (`12712 <https://github.com/pypa/pip/issues/12712>`_)
- Minor performance improvement when installing packages with a large number
of dependencies by increasing the requirement string cache size. (`12873 <https://github.com/pypa/pip/issues/12873>`_)
- Add a ``--group`` option which allows installation from :pep:`735` Dependency
Groups. ``--group`` accepts arguments of the form ``group`` or
``path:group``, where the default path is ``pyproject.toml``, and installs
the named Dependency Group from the provided ``pyproject.toml`` file. (`12963 <https://github.com/pypa/pip/issues/12963>`_)
- Add support to enable resuming incomplete downloads.

Control the number of retry attempts using the ``--resume-retries`` flag. (`12991 <https://github.com/pypa/pip/issues/12991>`_)
- Use :pep:`753` "Well-known Project URLs in Metadata" normalization rules when
identifying an equivalent project URL to replace a missing ``Home-Page`` field
in ``pip show``. (`13135 <https://github.com/pypa/pip/issues/13135>`_)
- Remove ``experimental`` warning from ``pip index versions`` command. (`13188 <https://github.com/pypa/pip/issues/13188>`_)
- Add a structured ``--json`` output to ``pip index versions`` (`13194 <https://github.com/pypa/pip/issues/13194>`_)
- Add a new, *experimental*, ``pip lock`` command, implementing :pep:`751`. (`13213 <https://github.com/pypa/pip/issues/13213>`_)
- Speed up resolution by first only considering the preference of
candidates that must be required to complete the resolution. (`13253 <https://github.com/pypa/pip/issues/13253>`_)
- Improved heuristics for determining the order of dependency resolution. (`13273 <https://github.com/pypa/pip/issues/13273>`_)
- Provide hint, documentation, and link to the documentation when
resolution too deep error occurs. (`13282 <https://github.com/pypa/pip/issues/13282>`_)
- Include traceback on failure to import ``setuptools`` when ``setup.py`` is being invoked directly. (`13290 <https://github.com/pypa/pip/issues/13290>`_)
- Support for :pep:`738` Android wheels. (`13299 <https://github.com/pypa/pip/issues/13299>`_)
- Display wheel build tag in ``pip list`` columns output if set. (`5210 <https://github.com/pypa/pip/issues/5210>`_)
- Build environment dependencies are no longer compiled to bytecode during
installation for a minor performance improvement. (`7294 <https://github.com/pypa/pip/issues/7294>`_)

Bug Fixes
---------

- When using the ``importlib.metadata`` backend (the default on Python 3.11+),
``pip list`` does not show installed egg distributions more than once anymore.
Additionally, egg distributions whose parent directory was in ``sys.path`` but
the egg themselves were not in ``sys.path`` are not detected anymore. (`12308 <https://github.com/pypa/pip/issues/12308>`_)
- Disable Git and SSH prompts when ``--no-input`` is passed. (`12718 <https://github.com/pypa/pip/issues/12718>`_)
- Gracefully handle Windows registry access errors while guessing the MIME type of a file. (`12769 <https://github.com/pypa/pip/issues/12769>`_)
- Support multiple global configuration paths returned by ``platformdirs`` on MacOS. (`12903 <https://github.com/pypa/pip/issues/12903>`_)
- Resolvelib 1.1.0 fixes a known issue where pip would report a
ResolutionImpossible error even though there is a valid solution.
However, some very complex dependency resolutions that previously
resolved may resolve slower or fail with an ResolutionTooDeep error. (`13001 <https://github.com/pypa/pip/issues/13001>`_)
- Show the correct path to the interpreter also when it's a symlink in a venv in the pip upgrade prompt. (`13156 <https://github.com/pypa/pip/issues/13156>`_)
- Parse wheel filenames according to `binary distribution format specification
<https://packaging.python.org/en/latest/specifications/binary-distribution-format/#file-format>`_.
When a filename doesn't match the spec a deprecation warning is emitted and the
filename is parsed using the old method. (`13229 <https://github.com/pypa/pip/issues/13229>`_)
- While resolving dependencies prefer if any of the known requirements are
"direct", e.g. points to an explicit URL. (`13244 <https://github.com/pypa/pip/issues/13244>`_)
- When choosing a preferred requirement for resolving dependencies
do not consider a specifier with a * in it, e.g. "==1.*", to be a
pinned specifier. (`13252 <https://github.com/pypa/pip/issues/13252>`_)
- Fix a regression that causes dependencies to be checked *before* ``Requires-Python``
project metadata is checked, leading to wasted cycles when the Python version is
unsupported. (`13270 <https://github.com/pypa/pip/issues/13270>`_)
- Don't require the ``wheel`` library to be installed to use ``--no-use-pep517``, any more. (`13330 <https://github.com/pypa/pip/issues/13330>`_)
- Fix regression that suppressed errors indicating which packages were ignored
due to incompatible ``requires-python`` metadata. (`13333 <https://github.com/pypa/pip/issues/13333>`_)
- Fix fish shell completion when commandline contains multiple commands. (`9727 <https://github.com/pypa/pip/issues/9727>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.2
- Upgrade certifi to 2025.1.31
- Upgrade packaging to 25.0
- Upgrade platformdirs to 4.3.7
- Upgrade pygments to 2.19.1
- Upgrade resolvelib to 1.1.0.
- Upgrade rich to 14.0.0
- Vendor tomli-w 1.2.0
- Upgrade truststore to 0.10.1
- Upgrade typing_extensions to 4.13.2

Improved Documentation
----------------------

- Added support for building only the man pages with minimal dependencies using
the sphinx-build ``--tag man`` option. This enables distributors to generate man
pages without requiring HTML documentation dependencies. (`13168 <https://github.com/pypa/pip/issues/13168>`_)

25.0.1

===================

Bug Fixes
---------

- Fix an unsupported type annotation on Python 3.10 and earlier. (`13181 <https://github.com/pypa/pip/issues/13181>`_)
- Fix a regression where truststore would never be used while installing build dependencies. (`13186 <https://github.com/pypa/pip/issues/13186>`_)

25.0

=================

Deprecations and Removals
-------------------------

- Deprecate the ``no-python-version-warning`` flag as it has long done nothing
since Python 2 support was removed in pip 21.0. (`13154 <https://github.com/pypa/pip/issues/13154>`_)

Features
--------

- Prefer to display :pep:`639` ``License-Expression`` in ``pip show`` if metadata version is at least 2.4. (`13112 <https://github.com/pypa/pip/issues/13112>`_)
- Support :pep:`639` ``License-Expression`` and ``License-File`` metadata fields in JSON
output. ``pip inspect`` and ``pip install --report`` now emit
``license_expression`` and ``license_file`` fields in the ``metadata`` object,
if the corresponding fields are present in the installed ``METADATA`` file. (`13134 <https://github.com/pypa/pip/issues/13134>`_)
- Files in the network cache will inherit the read/write permissions of pip's cache
directory (in addition to the current user retaining read/write access). This
enables a single cache to be shared among multiple users. (`11012 <https://github.com/pypa/pip/issues/11012>`_)
- Return the size, along with the number, of files cleared on ``pip cache purge`` and ``pip cache remove`` (`12176 <https://github.com/pypa/pip/issues/12176>`_)
- Cache ``python-requires`` checks while filtering potential installation candidates. (`13128 <https://github.com/pypa/pip/issues/13128>`_)
- Optimize package collection by avoiding unnecessary URL parsing and other processing. (`13132 <https://github.com/pypa/pip/issues/13132>`_)

Bug Fixes
---------

- Reorder the encoding detection when decoding a requirements file, relying on
UTF-8 over the locale encoding by default, matching the documented behaviour.
(`12771 <https://github.com/pypa/pip/issues/12771>`_)
- The pip version self check is disabled on ``EXTERNALLY-MANAGED`` environments. (`11820 <https://github.com/pypa/pip/issues/11820>`_)
- Fix a security bug allowing a specially crafted wheel to execute code during
installation. (`13079 <https://github.com/pypa/pip/issues/13079>`_)
- The inclusion of ``packaging`` 24.2 changes how pre-release specifiers with ``<`` and ``>``
behave. Including a pre-release version with these specifiers now implies
accepting pre-releases (e.g., ``<2.0dev`` can include ``1.0rc1``). To avoid
implying pre-releases, avoid specifying them (e.g., use ``<2.0``).
The exception is ``!=``, which never implies pre-releases. (`13163 <https://github.com/pypa/pip/issues/13163>`_)
- The ``--cert`` and ``--client-cert`` command-line options are now respected while
installing build dependencies. Consequently, the private ``_PIP_STANDALONE_CERT``
environment variable is no longer used. (`5502 <https://github.com/pypa/pip/issues/5502>`_)
- The ``--proxy`` command-line option is now respected while installing build dependencies. (`6018 <https://github.com/pypa/pip/issues/6018>`_)

Vendored Libraries
------------------

- Upgrade CacheControl to 0.14.1
- Upgrade idna to 3.10
- Upgrade msgpack to 1.1.0
- Upgrade packaging to 24.2
- Upgrade platformdirs to 4.3.6
- Upgrade pyproject-hooks to 1.2.0
- Upgrade rich to 13.9.4
- Upgrade tomli to 2.2.1

Improved Documentation
----------------------

- Removed section about non-existing ``--force-keyring`` flag. (`12455 <https://github.com/pypa/pip/issues/12455>`_)

Process
-------

- Started releasing to PyPI from a GitHub Actions CI/CD workflow that implements trusted publishing and bundles :pep:`740` digital attestations.

Links

• PyPI: https://pypi.org/project/pip
• Changelog: https://data.safetycli.com/changelogs/pip/

Update pillow from 11.1.0 to 11.3.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

[semanticdiff-com]

Review changes with  

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pip@​24.3.1 ⏵ 25.1.1	+1
	pillow@​11.1.0 ⏵ 11.3.0

View full report

[gemini-code-assist]

Summary of Changes

Hello @pyup-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated dependency update, initiated by pyup-bot, to ensure the project's Python packages remain current. It specifically upgrades the pip package manager and the Pillow imaging library to their latest stable versions, incorporating a range of bug fixes, new features, and performance improvements from these upstream libraries.

Highlights

• Dependency Updates: This pull request automatically updates two core Python dependencies: pip is upgraded from version 24.3.1 to 25.1.1, and pillow is updated from 11.1.0 to 11.3.0.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates pip and pillow. These updates introduce versions that are incompatible with the Python 3.7 runtime specified in the project's Dockerfile, which is likely to break the Docker build. Reverting these changes until the Python runtime is upgraded is recommended.

[gemini-code-assist]

The update of pip to version 25.1.1 is incompatible with the Python version used in this project. The Dockerfile specifies python:3.7.3-alpine3.8. According to the pip changelog, version 25.1 dropped support for Python 3.8. This incompatibility will likely cause the Docker build to fail. It's recommended to revert this change until the Python version in the Dockerfile is upgraded to at least 3.9.

pip==24.3.1

[gemini-code-assist]

This Pillow update to version 11.3.0 is incompatible with the Python 3.7 runtime specified in the Dockerfile. Pillow 11.3.0 requires Python 3.9 or newer. The previous version 11.1.0 already required Python 3.8+, so there is an existing inconsistency. Upgrading will almost certainly break the build. To avoid build failures, this dependency update should be reverted until the Python version in the Dockerfile is upgraded.

pillow==11.1.0

[pyup-bot]

Closing this in favor of #142