dns icon indicating copy to clipboard operation
dns copied to clipboard
verified publisher icon parkr

Bump pip from 25.2 to 25.3

Open dependabot[bot] opened this issue 2 months ago • 0 comments

Bumps pip from 25.2 to 25.3.

Changelog

Sourced from pip's changelog.

25.3 (2025-10-24)

Deprecations and Removals

  • Remove support for the legacy setup.py develop editable method in setuptools editable installs; setuptools >= 64 is now required. ([#11457](https://github.com/pypa/pip/issues/11457) <https://github.com/pypa/pip/issues/11457>_)

  • Remove the deprecated --global-option and --build-option. --config-setting is now the only way to pass options to the build backend. ([#11859](https://github.com/pypa/pip/issues/11859) <https://github.com/pypa/pip/issues/11859>_)

  • Deprecate the PIP_CONSTRAINT environment variable for specifying build constraints.

    Use the --build-constraint option or the PIP_BUILD_CONSTRAINT environment variable instead. When build constraints are used, PIP_CONSTRAINT no longer affects isolated build environments. To enable this behavior without specifying any build constraints, use --use-feature=build-constraint. ([#13534](https://github.com/pypa/pip/issues/13534) <https://github.com/pypa/pip/issues/13534>_)

  • Remove support for non-standard legacy wheel filenames. ([#13581](https://github.com/pypa/pip/issues/13581) <https://github.com/pypa/pip/issues/13581>_)

  • Remove support for the deprecated setup.py bdist_wheel mechanism. Consequently, --use-pep517 is now always on, and --no-use-pep517 has been removed. ([#6334](https://github.com/pypa/pip/issues/6334) <https://github.com/pypa/pip/issues/6334>_)

Features

  • When :pep:658 metadata is available, full distribution files are no longer downloaded when using pip lock or pip install --dry-run. ([#12603](https://github.com/pypa/pip/issues/12603) <https://github.com/pypa/pip/issues/12603>_)
  • Add support for installing an editable requirement written as a Direct URL (PackageName @ URL). ([#13495](https://github.com/pypa/pip/issues/13495) <https://github.com/pypa/pip/issues/13495>_)
  • Add support for build constraints via the --build-constraint option. This allows constraining the versions of packages used during the build process (e.g., setuptools) without affecting the final installation. ([#13534](https://github.com/pypa/pip/issues/13534) <https://github.com/pypa/pip/issues/13534>_)
  • On ResolutionImpossible errors, include a note about causes with no candidates. ([#13588](https://github.com/pypa/pip/issues/13588) <https://github.com/pypa/pip/issues/13588>_)
  • Building pip itself from source now uses flit-core instead of setuptools. This does not affect how pip installs or builds packages you use. ([#13473](https://github.com/pypa/pip/issues/13473) <https://github.com/pypa/pip/issues/13473>_)

Bug Fixes

  • Handle malformed Version metadata entries and show a sensible error message instead of crashing. ([#13443](https://github.com/pypa/pip/issues/13443) <https://github.com/pypa/pip/issues/13443>_)
  • Permit spaces between a filepath and extras in an install requirement. ([#13523](https://github.com/pypa/pip/issues/13523) <https://github.com/pypa/pip/issues/13523>_)
  • Ensure the self-check files in the cache have the same permissions as the rest of the cache. ([#13528](https://github.com/pypa/pip/issues/13528) <https://github.com/pypa/pip/issues/13528>_)
  • Avoid concurrency issues and improve performance when caching locally built wheels, especially when the temporary build directory is on a different filesystem than the cache. The wheel directory passed to the build backend is now a temporary subdirectory inside the cache directory. ([#13540](https://github.com/pypa/pip/issues/13540) <https://github.com/pypa/pip/issues/13540>_)
  • Include relevant user-supplied constraints in logs when reporting dependency conflicts. ([#13545](https://github.com/pypa/pip/issues/13545) <https://github.com/pypa/pip/issues/13545>_)
  • Fix a regression in configuration parsing that was turning a single value into a list and thus leading to a validation error. ([#13548](https://github.com/pypa/pip/issues/13548) <https://github.com/pypa/pip/issues/13548>_)
  • For Python versions that do not support :pep:706, pip will now raise an installation error for a source distribution when it includes a symlink that points outside the source distribution archive. ([#13550](https://github.com/pypa/pip/issues/13550) <https://github.com/pypa/pip/issues/13550>_)
  • Prevent --user installs if site.ENABLE_USER_SITE is set to False. ([#8794](https://github.com/pypa/pip/issues/8794) <https://github.com/pypa/pip/issues/8794>_)

... (truncated)

Commits
  • a520693 Bump for release
  • 0f2973e Fix up authors by adding entry to .mailmap
  • 87828dc Update AUTHORS.txt
  • ce6a38c Merge pull request #13628 from sbidoul/imp-doc-pep517-sbi
  • ee16c81 Merge pull request #13629 from notatallshaw/bump-gone_in="25.3"
  • 3e227aa Bump gone_in="25.3"
  • 4ad1828 Merge pull request #13495 from ichard26/feat/direct-editables
  • 66ded3b Merge pull request #13570 from ShubhamNagure/fix-constraint-reporting-13545
  • 67e8ac2 Merge pull request #13588 from notatallshaw/hint-on-resolution-impossible-whe...
  • 990ca8a Merge pull request #8796 from pelson/honour_user_site
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Oct 27 '25 12:10 dependabot[bot]