Update pip from 25.2 to 25.3

Changelog:
https://pip.pypa.io/en/stable/news/#v25-3

Additionally, we now no longer install the `wheel` package when using
pip with Python 3.12 and older, since:

- With modern setuptools, it's no longer necessary to manually install
  wheel, since setuptools will trigger its installation if needed.
- As of pip 25.3, pip prepares/builds dependencies inside an isolated
  ephemeral build environment (~venv) that means even if wheel is
  installed globally, it won't be used anyway.
- The Python CNB (and much of the rest of the Python ecosystem) doesn't
  install wheel globally any more either.

This doesn't affect apps using either a different package manager, or
that are using pip with Python 3.13 or newer, since we already didn't
install the wheel package in those environments.

GUS-W-17605676.
GUS-W-20804745.

Author: edmorley

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## [Unreleased]
 
+- Updated pip from 25.2 to 25.3. ([#2008](https://github.com/heroku/heroku-buildpack-python/pull/2008))
+- Stopped installing wheel when using pip with Python 3.12 and older. ([#2008](https://github.com/heroku/heroku-buildpack-python/pull/2008))
 
 ## [v327] - 2026-01-07
 

lib/pip.sh

@@ -6,7 +6,6 @@ set -euo pipefail
 
 PIP_VERSION=$(utils::get_requirement_version 'pip')
 SETUPTOOLS_VERSION=$(utils::get_requirement_version 'setuptools')
-WHEEL_VERSION=$(utils::get_requirement_version 'wheel')
 
 function pip::install_pip() {
 	local python_home="${1}"
@@ -21,21 +20,17 @@ function pip::install_pip() {
 	)
 	local packages_display_text="pip ${PIP_VERSION}"
 
-	# We only install setuptools and wheel on Python 3.12 and older, since:
-	# - If either is not installed, pip will automatically install them into an isolated build
-	#   environment if needed when installing packages from an sdist. This means that for
-	#   all packages that correctly declare their metadata, it's no longer necessary to have
-	#   them installed.
+	# We only install setuptools on Python 3.12 and older, since:
+	# - pip now uses isolated build environments into which it installed setuptools and wheel
+	#   if needed when installing packages from an sdist.
 	# - Most of the Python ecosystem has stopped installing them for Python 3.12+ already.
 	# See the Python CNB's removal for more details: https://github.com/heroku/buildpacks-python/pull/243
 	if [[ "${python_major_version}" == +(3.10|3.11|3.12) ]]; then
 		build_data::set_string "setuptools_version" "${SETUPTOOLS_VERSION}"
-		build_data::set_string "wheel_version" "${WHEEL_VERSION}"
 		packages_to_install+=(
 			"setuptools==${SETUPTOOLS_VERSION}"
-			"wheel==${WHEEL_VERSION}"
 		)
-		packages_display_text+=", setuptools ${SETUPTOOLS_VERSION} and wheel ${WHEEL_VERSION}"
+		packages_display_text+=" and setuptools ${SETUPTOOLS_VERSION}"
 	fi
 
 	# Note: We still perform this install step even if the cache was reused, since we have no guarantee

requirements/pip.txt

@@ -1 +1 @@
-pip==25.2
+pip==25.3

requirements/wheel.txt

@@ -1,3 +1 @@
-# Note: This test intentionally uses Python 3.12, so that we test *.egg-link
-# path rewriting using older globally installed setuptools.
-3.12
+3.14

spec/fixtures/pip_editable/.python-version

@@ -4,8 +4,8 @@ set -euo pipefail
 
 cd .heroku/python/lib/python*/site-packages/
 
-# List any path like strings in the .egg-link, .pth, and finder files in site-packages.
-grep --extended-regexp --only-matching -- '/\S+' *.egg-link *.pth __editable___*_finder.py | sort
+# List any path like strings in the .pth and finder files in site-packages.
+grep --extended-regexp --only-matching -- '/\S+' *.pth __editable___*_finder.py | sort
 echo
 
 echo -n "Running entrypoint for the pyproject.toml-based local package: "

spec/fixtures/pip_editable/bin/test-entrypoints.sh

@@ -2,4 +2,4 @@
 # https://github.com/pypa/setuptools/issues/3535
 -e ./packages/local_package_pyproject_toml
 -e ./packages/local_package_setup_py
--e git+https://github.com/benoitc/gunicorn@20.1.0#egg=gunicorn
+-e git+https://github.com/benoitc/gunicorn@56b5ad87f8d72a674145c273ed8f547513c2b409#egg=gunicorn

spec/fixtures/pip_editable/requirements.txt

@@ -163,82 +163,72 @@
     end
   end
 
-  # This test intentionally uses Python 3.12, so that we test rewriting using older globally installed
-  # setuptools (which causes .egg-link files to be created too). The Pipenv and Poetry equivalents of
-  # this test covers the PEP-517/518 setuptools case.
   context 'when requirements.txt contains editable requirements (both VCS and local package)' do
     let(:buildpacks) { [:default, 'heroku-community/inline'] }
     let(:app) { Hatchet::Runner.new('spec/fixtures/pip_editable', buildpacks:) }
 
-    it 'rewrites .pth, .egg-link and finder paths correctly for hooks, later buildpacks, runtime and cached builds' do
+    it 'rewrites .pth and finder paths correctly for hooks, later buildpacks, runtime and cached builds' do
       app.deploy do |app|
         expect(clean_output(app.output)).to match(Regexp.new(<<~REGEX, Regexp::MULTILINE))
           remote: -----> Running bin/post_compile hook
-          remote:        easy-install.pth:/app/.heroku/python/src/gunicorn
-          remote:        easy-install.pth:/tmp/build_.+/packages/local_package_setup_py
+          remote:        __editable___gunicorn_23_0_0_finder.py:/app/.heroku/python/src/gunicorn/gunicorn'}
           remote:        __editable___local_package_pyproject_toml_0_0_1_finder.py:/tmp/build_.+/packages/local_package_pyproject_toml/local_package_pyproject_toml'}
-          remote:        gunicorn.egg-link:/app/.heroku/python/src/gunicorn
-          remote:        local-package-setup-py.egg-link:/tmp/build_.+/packages/local_package_setup_py
+          remote:        __editable___local_package_setup_py_0_0_1_finder.py:/tmp/build_.+/packages/local_package_setup_py/local_package_setup_py'}
           remote:        
           remote:        Running entrypoint for the pyproject.toml-based local package: Hello from pyproject.toml!
           remote:        Running entrypoint for the setup.py-based local package: Hello from setup.py!
-          remote:        Running entrypoint for the VCS package: gunicorn \\(version 20.1.0\\)
+          remote:        Running entrypoint for the VCS package: gunicorn \\(version 23.0.0\\)
           remote: -----> Saving cache
           .+
           remote: -----> Inline app detected
-          remote: easy-install.pth:/app/.heroku/python/src/gunicorn
-          remote: easy-install.pth:/tmp/build_.+/packages/local_package_setup_py
+          remote: __editable___gunicorn_23_0_0_finder.py:/app/.heroku/python/src/gunicorn/gunicorn'}
           remote: __editable___local_package_pyproject_toml_0_0_1_finder.py:/tmp/build_.+/packages/local_package_pyproject_toml/local_package_pyproject_toml'}
-          remote: gunicorn.egg-link:/app/.heroku/python/src/gunicorn
-          remote: local-package-setup-py.egg-link:/tmp/build_.+/packages/local_package_setup_py
+          remote: __editable___local_package_setup_py_0_0_1_finder.py:/tmp/build_.+/packages/local_package_setup_py/local_package_setup_py'}
           remote: 
           remote: Running entrypoint for the pyproject.toml-based local package: Hello from pyproject.toml!
           remote: Running entrypoint for the setup.py-based local package: Hello from setup.py!
-          remote: Running entrypoint for the VCS package: gunicorn \\(version 20.1.0\\)
+          remote: Running entrypoint for the VCS package: gunicorn \\(version 23.0.0\\)
         REGEX
 
         # Test rewritten paths work at runtime.
         expect(app.run('bin/test-entrypoints.sh')).to include(<<~OUTPUT)
-          easy-install.pth:/app/.heroku/python/src/gunicorn
-          easy-install.pth:/app/packages/local_package_setup_py
+          __editable___gunicorn_23_0_0_finder.py:/app/.heroku/python/src/gunicorn/gunicorn'}
           __editable___local_package_pyproject_toml_0_0_1_finder.py:/app/packages/local_package_pyproject_toml/local_package_pyproject_toml'}
-          gunicorn.egg-link:/app/.heroku/python/src/gunicorn
-          local-package-setup-py.egg-link:/app/packages/local_package_setup_py
+          __editable___local_package_setup_py_0_0_1_finder.py:/app/packages/local_package_setup_py/local_package_setup_py'}
 
           Running entrypoint for the pyproject.toml-based local package: Hello from pyproject.toml!
           Running entrypoint for the setup.py-based local package: Hello from setup.py!
-          Running entrypoint for the VCS package: gunicorn (version 20.1.0)
+          Running entrypoint for the VCS package: gunicorn (version 23.0.0)
         OUTPUT
 
         # Test that the cached .pth files work correctly.
         app.commit!
         app.push!
         expect(clean_output(app.output)).to match(Regexp.new(<<~REGEX, Regexp::MULTILINE))
           remote: -----> Running bin/post_compile hook
-          remote:        easy-install.pth:/app/.heroku/python/src/gunicorn
-          remote:        easy-install.pth:/tmp/build_.+/packages/local_package_setup_py
+          remote:        __editable___gunicorn_23_0_0_finder.py:/app/.heroku/python/src/gunicorn/gunicorn'}
           remote:        __editable___local_package_pyproject_toml_0_0_1_finder.py:/tmp/build_.+/packages/local_package_pyproject_toml/local_package_pyproject_toml'}
-          remote:        gunicorn.egg-link:/app/.heroku/python/src/gunicorn
-          remote:        local-package-setup-py.egg-link:/tmp/build_.+/packages/local_package_setup_py
+          remote:        __editable___local_package_setup_py_0_0_1_finder.py:/tmp/build_.+/packages/local_package_setup_py/local_package_setup_py'}
           remote:        
           remote:        Running entrypoint for the pyproject.toml-based local package: Hello from pyproject.toml!
           remote:        Running entrypoint for the setup.py-based local package: Hello from setup.py!
-          remote:        Running entrypoint for the VCS package: gunicorn \\(version 20.1.0\\)
+          remote:        Running entrypoint for the VCS package: gunicorn \\(version 23.0.0\\)
           remote: -----> Saving cache
           .+
           remote: -----> Inline app detected
-          remote: easy-install.pth:/app/.heroku/python/src/gunicorn
-          remote: easy-install.pth:/tmp/build_.+/packages/local_package_setup_py
+          remote: __editable___gunicorn_23_0_0_finder.py:/app/.heroku/python/src/gunicorn/gunicorn'}
           remote: __editable___local_package_pyproject_toml_0_0_1_finder.py:/tmp/build_.+/packages/local_package_pyproject_toml/local_package_pyproject_toml'}
-          remote: gunicorn.egg-link:/app/.heroku/python/src/gunicorn
-          remote: local-package-setup-py.egg-link:/tmp/build_.+/packages/local_package_setup_py
+          remote: __editable___local_package_setup_py_0_0_1_finder.py:/tmp/build_.+/packages/local_package_setup_py/local_package_setup_py'}
           remote: 
           remote: Running entrypoint for the pyproject.toml-based local package: Hello from pyproject.toml!
           remote: Running entrypoint for the setup.py-based local package: Hello from setup.py!
-          remote: Running entrypoint for the VCS package: gunicorn \\(version 20.1.0\\)
+          remote: Running entrypoint for the VCS package: gunicorn \\(version 23.0.0\\)
         REGEX
         # Test that the VCS repo checkout was cached correctly.
-        expect(app.output).to include('Updating /app/.heroku/python/src/gunicorn clone (to revision 20.1.0)')
+        expect(app.output).to include(<<~OUTPUT)
+          remote: Obtaining gunicorn from git+https://github.com/benoitc/gunicorn@56b5ad87f8d72a674145c273ed8f547513c2b409#egg=gunicorn (from -r requirements.txt (line 5))
+          remote:   Skipping because already up-to-date.
+        OUTPUT
       end
     end
   end
@@ -318,7 +308,7 @@
           remote:  !     patch version automatically and prevent this warning.
           remote: 
           remote: -----> Installing Python 3.10.0
-          remote: -----> Installing pip #{PIP_VERSION}, setuptools #{SETUPTOOLS_VERSION} and wheel #{WHEEL_VERSION}
+          remote: -----> Installing pip #{PIP_VERSION} and setuptools #{SETUPTOOLS_VERSION}
           remote: -----> Installing dependencies using 'pip install -r requirements.txt'
           remote:        Collecting typing-extensions==4.15.0 (from -r requirements.txt (line 2))
           remote:          Downloading typing_extensions-4.15.0-py3-none-any.whl.metadata (3.3 kB)
@@ -378,7 +368,7 @@
     it 'outputs instructions for how to resolve the build failure' do
       app.deploy do |app|
         expect(clean_output(app.output)).to include(<<~OUTPUT)
-          remote:        note: This error originates from a subprocess, and is likely not a problem with pip.
+          remote:        ERROR: Failed to build 'GDAL' when getting requirements to build wheel
           remote: 
           remote:  !     Error: Package installation failed since the GDAL library wasn't found.
           remote:  !     

spec/hatchet/pip_spec.rb

@@ -10,7 +10,7 @@
           remote: -----> Python app detected
           remote: -----> Using Python #{requested_version} specified in .python-version
           remote: -----> Installing Python #{resolved_version}
-          remote: -----> Installing pip #{PIP_VERSION}, setuptools #{SETUPTOOLS_VERSION} and wheel #{WHEEL_VERSION}
+          remote: -----> Installing pip #{PIP_VERSION} and setuptools #{SETUPTOOLS_VERSION}
           remote: -----> Installing dependencies using 'pip install -r requirements.txt'
           remote:        Collecting typing-extensions==4.15.0 (from -r requirements.txt (line 2))
         OUTPUT
@@ -152,7 +152,7 @@
             remote:        - The pip version has changed from 24.0 to #{PIP_VERSION}
             remote:        - The legacy SQLite3 headers and CLI binary need to be uninstalled
             remote: -----> Installing Python #{LATEST_PYTHON_3_12}
-            remote: -----> Installing pip #{PIP_VERSION}, setuptools #{SETUPTOOLS_VERSION} and wheel #{WHEEL_VERSION}
+            remote: -----> Installing pip #{PIP_VERSION} and setuptools #{SETUPTOOLS_VERSION}
           OUTPUT
           expect(app.run('python -V')).to eq("Python #{LATEST_PYTHON_3_12}\n")
           expect($CHILD_STATUS.exitstatus).to eq(0)
@@ -274,7 +274,7 @@
           remote:  !     https://devcenter.heroku.com/articles/python-support#supported-python-versions
           remote: 
           remote: -----> Installing Python #{LATEST_PYTHON_3_10}
-          remote: -----> Installing pip #{PIP_VERSION}, setuptools #{SETUPTOOLS_VERSION} and wheel #{WHEEL_VERSION}
+          remote: -----> Installing pip #{PIP_VERSION} and setuptools #{SETUPTOOLS_VERSION}
           remote: -----> Installing dependencies using 'pip install -r requirements.txt'
           remote:        Collecting typing-extensions==4.15.0 (from -r requirements.txt (line 2))
         OUTPUT

spec/hatchet/python_version_spec.rb

@@ -69,7 +69,7 @@
           remote:        - The buildpack cache format has changed
           remote:        - The legacy SQLite3 headers and CLI binary need to be uninstalled
           remote: -----> Installing Python #{LATEST_PYTHON_3_12}
-          remote: -----> Installing pip #{PIP_VERSION}, setuptools #{SETUPTOOLS_VERSION} and wheel #{WHEEL_VERSION}
+          remote: -----> Installing pip #{PIP_VERSION} and setuptools #{SETUPTOOLS_VERSION}
           remote: -----> Installing dependencies using 'pip install -r requirements.txt'
           remote:        Collecting typing-extensions==4.15.0 (from -r requirements.txt (line 2))
         OUTPUT