Merge branch 'main' into Optimize---find-links=<path-to-dir>

Author: notatallshaw

.pre-commit-config.yaml

@@ -2,7 +2,7 @@ exclude: 'src/pip/_vendor/'
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
+  rev: v4.5.0
   hooks:
   - id: check-builtin-literals
   - id: check-added-large-files
@@ -16,31 +16,32 @@ repos:
   - id: trailing-whitespace
     exclude: .patch
 
-- repo: https://github.com/psf/black
-  rev: 23.7.0
+- repo: https://github.com/psf/black-pre-commit-mirror
+  rev: 23.12.1
   hooks:
   - id: black
 
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.0.292
+  rev: v0.1.9
   hooks:
     - id: ruff
+      args: [--fix, --exit-non-zero-on-fix]
 
 - repo: https://github.com/pre-commit/mirrors-mypy
-  rev: v0.961
+  rev: v1.8.0
   hooks:
   - id: mypy
     exclude: tests/data
     args: ["--pretty", "--show-error-codes"]
     additional_dependencies: [
-        'keyring==23.0.1',
-        'nox==2021.6.12',
+        'keyring==24.2.0',
+        'nox==2023.4.22',
         'pytest',
-        'types-docutils==0.18.3',
-        'types-setuptools==57.4.14',
-        'types-freezegun==1.1.9',
-        'types-six==1.16.15',
-        'types-pyyaml==6.0.12.2',
+        'types-docutils==0.20.0.3',
+        'types-setuptools==68.2.0.0',
+        'types-freezegun==1.1.10',
+        'types-six==1.16.21.9',
+        'types-pyyaml==6.0.12.12',
     ]
 
 - repo: https://github.com/pre-commit/pygrep-hooks

AUTHORS.txt

@@ -20,6 +20,7 @@ Albert-Guan
 albertg
 Alberto Sottile
 Aleks Bunin
+Ales Erjavec
 Alethea Flowers
 Alex Gaynor
 Alex Grönholm
@@ -30,6 +31,7 @@ Alex Stachowiak
 Alexander Shtyrov
 Alexandre Conrad
 Alexey Popravka
+Aleš Erjavec
 Alli
 Ami Fischman
 Ananya Maiti
@@ -196,9 +198,11 @@ David Runge
 David Tucker
 David Wales
 Davidovich
+ddelange
 Deepak Sharma
 Deepyaman Datta
 Denise Yu
+dependabot[bot]
 derwolfe
 Desetude
 Devesh Kumar Singh
@@ -223,6 +227,8 @@ Dwayne Bailey
 Ed Morley
 Edgar Ramírez
 Ee Durbin
+Efflam Lemaillet
+efflamlemaillet
 Eitan Adler
 ekristina
 elainechan
@@ -312,6 +318,7 @@ Ilya Baryshev
 Inada Naoki
 Ionel Cristian Mărieș
 Ionel Maries Cristian
+Itamar Turner-Trauring
 Ivan Pozdeev
 Jacob Kim
 Jacob Walls
@@ -338,6 +345,7 @@ Jay Graves
 Jean-Christophe Fillion-Robin
 Jeff Barber
 Jeff Dairiki
+Jeff Widman
 Jelmer Vernooij
 jenix21
 Jeremy Stanley
@@ -367,6 +375,7 @@ Joseph Long
 Josh Bronson
 Josh Hansen
 Josh Schneier
+Joshua
 Juan Luis Cano Rodríguez
 Juanjo Bazán
 Judah Rand
@@ -397,6 +406,7 @@ KOLANICH
 kpinc
 Krishna Oza
 Kumar McMillan
+Kurt McKee
 Kyle Persohn
 lakshmanaram
 Laszlo Kiss-Kollar
@@ -413,6 +423,7 @@ lorddavidiii
 Loren Carvalho
 Lucas Cimon
 Ludovic Gasc
+Lukas Geiger
 Lukas Juhrich
 Luke Macken
 Luo Jiebin
@@ -529,6 +540,7 @@ Patrick Jenkins
 Patrick Lawson
 patricktokeeffe
 Patrik Kopkan
+Paul Ganssle
 Paul Kehrer
 Paul Moore
 Paul Nasrat
@@ -609,6 +621,7 @@ ryneeverett
 Sachi King
 Salvatore Rinchiera
 sandeepkiran-js
+Sander Van Balen
 Savio Jomton
 schlamar
 Scott Kitterman
@@ -621,6 +634,7 @@ SeongSoo Cho
 Sergey Vasilyev
 Seth Michael Larson
 Seth Woodworth
+Shahar Epstein
 Shantanu
 shireenrao
 Shivansh-007
@@ -648,6 +662,7 @@ Steve Kowalik
 Steven Myint
 Steven Silvester
 stonebig
+studioj
 Stéphane Bidoul
 Stéphane Bidoul (ACSONE)
 Stéphane Klein

NEWS.rst

@@ -9,13 +9,90 @@
 
 .. towncrier release notes start
 
+23.3.2 (2023-12-17)
+===================
+
+Bug Fixes
+---------
+
+- Fix a bug in extras handling for link requirements (`#12372 <https://github.com/pypa/pip/issues/12372>`_)
+- Fix mercurial revision "parse error": use ``--rev={ref}`` instead of ``-r={ref}`` (`#12373 <https://github.com/pypa/pip/issues/12373>`_)
+
+
+23.3.1 (2023-10-21)
+===================
+
+Bug Fixes
+---------
+
+- Handle a timezone indicator of Z when parsing dates in the self check. (`#12338 <https://github.com/pypa/pip/issues/12338>`_)
+- Fix bug where installing the same package at the same time with multiple pip processes could fail. (`#12361 <https://github.com/pypa/pip/issues/12361>`_)
+
+
+23.3 (2023-10-15)
+=================
+
+Process
+-------
+
+- Added reference to `vulnerability reporting guidelines <https://www.python.org/dev/security/>`_ to pip's security policy.
+
+Deprecations and Removals
+-------------------------
+
+- Drop a fallback to using SecureTransport on macOS. It was useful when pip detected OpenSSL older than 1.0.1, but the current pip does not support any Python version supporting such old OpenSSL versions. (`#12175 <https://github.com/pypa/pip/issues/12175>`_)
+
+Features
+--------
+
+- Improve extras resolution for multiple constraints on same base package. (`#11924 <https://github.com/pypa/pip/issues/11924>`_)
+- Improve use of datastructures to make candidate selection 1.6x faster. (`#12204 <https://github.com/pypa/pip/issues/12204>`_)
+- Allow ``pip install --dry-run`` to use platform and ABI overriding options. (`#12215 <https://github.com/pypa/pip/issues/12215>`_)
+- Add ``is_yanked`` boolean entry to the installation report (``--report``) to indicate whether the requirement was yanked from the index, but was still selected by pip conform to :pep:`592`. (`#12224 <https://github.com/pypa/pip/issues/12224>`_)
+
+Bug Fixes
+---------
+
+- Ignore errors in temporary directory cleanup (show a warning instead). (`#11394 <https://github.com/pypa/pip/issues/11394>`_)
+- Normalize extras according to :pep:`685` from package metadata in the resolver
+  for comparison. This ensures extras are correctly compared and merged as long
+  as the package providing the extra(s) is built with values normalized according
+  to the standard. Note, however, that this *does not* solve cases where the
+  package itself contains unnormalized extra values in the metadata. (`#11649 <https://github.com/pypa/pip/issues/11649>`_)
+- Prevent downloading sdists twice when :pep:`658` metadata is present. (`#11847 <https://github.com/pypa/pip/issues/11847>`_)
+- Include all requested extras in the install report (``--report``). (`#11924 <https://github.com/pypa/pip/issues/11924>`_)
+- Removed uses of ``datetime.datetime.utcnow`` from non-vendored code. (`#12005 <https://github.com/pypa/pip/issues/12005>`_)
+- Consistently report whether a dependency comes from an extra. (`#12095 <https://github.com/pypa/pip/issues/12095>`_)
+- Fix completion script for zsh (`#12166 <https://github.com/pypa/pip/issues/12166>`_)
+- Fix improper handling of the new onexc argument of ``shutil.rmtree()`` in Python 3.12. (`#12187 <https://github.com/pypa/pip/issues/12187>`_)
+- Filter out yanked links from the available versions error message: "(from versions: 1.0, 2.0, 3.0)" will not contain yanked versions conform PEP 592. The yanked versions (if any) will be mentioned in a separate error message. (`#12225 <https://github.com/pypa/pip/issues/12225>`_)
+- Fix crash when the git version number contains something else than digits and dots. (`#12280 <https://github.com/pypa/pip/issues/12280>`_)
+- Use ``-r=...`` instead of ``-r ...`` to specify references with Mercurial. (`#12306 <https://github.com/pypa/pip/issues/12306>`_)
+- Redact password from URLs in some additional places. (`#12350 <https://github.com/pypa/pip/issues/12350>`_)
+- pip uses less memory when caching large packages. As a result, there is a new on-disk cache format stored in a new directory ($PIP_CACHE_DIR/http-v2). (`#2984 <https://github.com/pypa/pip/issues/2984>`_)
+
+Vendored Libraries
+------------------
+
+- Upgrade certifi to 2023.7.22
+- Add truststore 0.8.0
+- Upgrade urllib3 to 1.26.17
+
+Improved Documentation
+----------------------
+
+- Document that ``pip search`` support has been removed from PyPI (`#12059 <https://github.com/pypa/pip/issues/12059>`_)
+- Clarify --prefer-binary in CLI and docs (`#12122 <https://github.com/pypa/pip/issues/12122>`_)
+- Document that using OS-provided Python can cause pip's test suite to report false failures. (`#12334 <https://github.com/pypa/pip/issues/12334>`_)
+
+
 23.2.1 (2023-07-22)
 ===================
 
 Bug Fixes
 ---------
 
-- Disable PEP 658 metadata fetching with the legacy resolver. (`#12156 <https://github.com/pypa/pip/issues/12156>`_)
+- Disable :pep:`658` metadata fetching with the legacy resolver. (`#12156 <https://github.com/pypa/pip/issues/12156>`_)
 
 
 23.2 (2023-07-15)
@@ -29,8 +106,9 @@ Process
 Deprecations and Removals
 -------------------------
 
-- Deprecate legacy version and version specifiers that don't conform to `PEP 440
-  <https://peps.python.org/pep-0440/>`_ (`#12063 <https://github.com/pypa/pip/issues/12063>`_)
+- Deprecate legacy version and version specifiers that don't conform to the
+  :ref:`specification <pypug:version-specifiers>`.
+  (`#12063 <https://github.com/pypa/pip/issues/12063>`_)
 - ``freeze`` no longer excludes the ``setuptools``, ``distribute``, and ``wheel``
   from the output when running on Python 3.12 or later, where they are not
   included in a virtual environment by default. Use ``--exclude`` if you wish to
@@ -45,11 +123,11 @@ Bug Fixes
 ---------
 
 - Fix ``pip completion --zsh``. (`#11417 <https://github.com/pypa/pip/issues/11417>`_)
-- Prevent downloading files twice when PEP 658 metadata is present (`#11847 <https://github.com/pypa/pip/issues/11847>`_)
+- Prevent downloading files twice when :pep:`658` metadata is present (`#11847 <https://github.com/pypa/pip/issues/11847>`_)
 - Add permission check before configuration (`#11920 <https://github.com/pypa/pip/issues/11920>`_)
 - Fix deprecation warnings in Python 3.12 for usage of shutil.rmtree (`#11957 <https://github.com/pypa/pip/issues/11957>`_)
 - Ignore invalid or unreadable ``origin.json`` files in the cache of locally built wheels. (`#11985 <https://github.com/pypa/pip/issues/11985>`_)
-- Fix installation of packages with PEP658 metadata using non-canonicalized names (`#12038 <https://github.com/pypa/pip/issues/12038>`_)
+- Fix installation of packages with :pep:`658` metadata using non-canonicalized names (`#12038 <https://github.com/pypa/pip/issues/12038>`_)
 - Correctly parse ``dist-info-metadata`` values from JSON-format index data. (`#12042 <https://github.com/pypa/pip/issues/12042>`_)
 - Fail with an error if the ``--python`` option is specified after the subcommand name. (`#12067 <https://github.com/pypa/pip/issues/12067>`_)
 - Fix slowness when using ``importlib.metadata`` (the default way for pip to read metadata in Python 3.11+) and there is a large overlap between already installed and to-be-installed packages. (`#12079 <https://github.com/pypa/pip/issues/12079>`_)
@@ -220,7 +298,7 @@ Features
 
 - Change the hashes in the installation report to be a mapping. Emit the
   ``archive_info.hashes`` dictionary in ``direct_url.json``. (`#11312 <https://github.com/pypa/pip/issues/11312>`_)
-- Implement logic to read the ``EXTERNALLY-MANAGED`` file as specified in PEP 668.
+- Implement logic to read the ``EXTERNALLY-MANAGED`` file as specified in :pep:`668`.
   This allows a downstream Python distributor to prevent users from using pip to
   modify the externally managed environment. (`#11381 <https://github.com/pypa/pip/issues/11381>`_)
 - Enable the use of ``keyring`` found on ``PATH``. This allows ``keyring``
@@ -236,7 +314,7 @@ Bug Fixes
 - Use the "venv" scheme if available to obtain prefixed lib paths. (`#11598 <https://github.com/pypa/pip/issues/11598>`_)
 - Deprecated a historical ambiguity in how ``egg`` fragments in URL-style
   requirements are formatted and handled. ``egg`` fragments that do not look
-  like PEP 508 names now produce a deprecation warning. (`#11617 <https://github.com/pypa/pip/issues/11617>`_)
+  like :pep:`508` names now produce a deprecation warning. (`#11617 <https://github.com/pypa/pip/issues/11617>`_)
 - Fix scripts path in isolated build environment on Debian. (`#11623 <https://github.com/pypa/pip/issues/11623>`_)
 - Make ``pip show`` show the editable location if package is editable (`#11638 <https://github.com/pypa/pip/issues/11638>`_)
 - Stop checking that ``wheel`` is present when ``build-system.requires``

docs/html/cli/pip_install.rst

@@ -45,11 +45,11 @@ When looking at the items to be installed, pip checks what type of item
 each is, in the following order:
 
 1. Project or archive URL.
-2. Local directory (which must contain a ``setup.py``, or pip will report
-   an error).
+2. Local directory (which must contain a ``pyproject.toml`` or ``setup.py``,
+   otherwise pip will report an error).
 3. Local file (a sdist or wheel format archive, following the naming
    conventions for those formats).
-4. A requirement, as specified in :pep:`440`.
+4. A :ref:`version specifier <pypug:version-specifiers>`.
 
 Each item identified is added to the set of requirements to be satisfied by
 the install.
@@ -97,7 +97,8 @@ Installation Order
 .. note::
 
    This section is only about installation order of runtime dependencies, and
-   does not apply to build dependencies (those are specified using PEP 518).
+   does not apply to build dependencies (those are specified using the
+   :ref:`[build-system] table <pypug:pyproject-build-system-table>`).
 
 As of v6.1.0, pip installs dependencies before their dependents, i.e. in
 "topological order."  This is the only commitment pip currently makes related
@@ -181,8 +182,9 @@ Pre-release Versions
 --------------------
 
 Starting with v1.4, pip will only install stable versions as specified by
-`pre-releases`_ by default. If a version cannot be parsed as a compliant :pep:`440`
-version then it is assumed to be a pre-release.
+`pre-releases`_ by default. If a version cannot be parsed as a
+:ref:`compliant <pypug:version-specifiers>` version then it is assumed to be
+a pre-release.
 
 If a Requirement specifier includes a pre-release or development version
 (e.g. ``>=0.0.dev0``) then pip will allow pre-release and development versions
@@ -214,8 +216,8 @@ pip looks for packages in a number of places: on PyPI (if not disabled via
 ``--no-index``), in the local filesystem, and in any additional repositories
 specified via ``--find-links`` or ``--index-url``. There is no ordering in
 the locations that are searched. Rather they are all checked, and the "best"
-match for the requirements (in terms of version number - see :pep:`440` for
-details) is selected.
+match for the requirements (in terms of version number - see the
+:ref:`specification <pypug:version-specifiers>` for details) is selected.
 
 See the :ref:`pip install Examples<pip install Examples>`.
 
@@ -380,7 +382,8 @@ Examples
          py -m pip install -e "git+https://git.repo/some_pkg.git@feature#egg=SomePackage"  # from 'feature' branch
          py -m pip install -e "git+https://git.repo/some_repo.git#egg=subdir&subdirectory=subdir_path" # install a python package from a repo subdirectory
 
-#. Install a package with `extras`_.
+#. Install a package with extras, i.e., optional dependencies
+   (:ref:`specification <pypug:dependency-specifiers>`).
 
    .. tab:: Unix/macOS
 
@@ -418,7 +421,8 @@ Examples
          py -m pip install "./downloads/SomePackage-1.0.4.tar.gz"
          py -m pip install "http://my.package.repo/SomePackage-1.0.4.zip"
 
-#. Install a particular source archive file following :pep:`440` direct references.
+#. Install a particular source archive file following direct references
+   (:ref:`specification <pypug:dependency-specifiers>`).
 
    .. tab:: Unix/macOS
 
@@ -539,5 +543,4 @@ Examples
 
          py -m pip install SomePackage1 SomePackage2 --no-binary SomePackage1
 
-.. _extras: https://www.python.org/dev/peps/pep-0508/#extras
 .. _PyPI: https://pypi.org/

docs/html/cli/pip_wheel.rst

@@ -34,7 +34,8 @@ Differences to ``build``
 ------------------------
 
 `build <https://pypi.org/project/build/>`_ is a simple tool which can among other things build
-wheels for projects using PEP 517. It is comparable to the execution of ``pip wheel --no-deps .``.
+wheels for projects using the standard ``pyproject.toml``-based build interface. It
+is comparable to the execution of ``pip wheel --no-deps .``.
 It can also build source distributions which is not possible with ``pip``.
 ``pip wheel`` covers the wheel scope of ``build`` but offers many additional features.
 

docs/html/development/architecture/package-finding.rst

@@ -182,8 +182,9 @@ example, whether a pre-release is eligible for selection or whether a file
 whose hash doesn't match is eligible depends on properties of the collection
 as a whole.
 
-The ``CandidateEvaluator`` class uses information like the list of `PEP 425`_
-tags compatible with the target Python interpreter, hashes provided by the
+The ``CandidateEvaluator`` class uses information like the list of
+:ref:`platform tags <pypug:platform-compatibility-tags>`
+compatible with the target Python interpreter, hashes provided by the
 user, and other user preferences, etc.
 
 Specifically, the class has a ``get_applicable_candidates()`` method.
@@ -236,5 +237,4 @@ The class is the return type of both the ``CandidateEvaluator`` class's
 ``find_best_candidate()`` method.
 
 
-.. _`PEP 425`: https://www.python.org/dev/peps/pep-0425/
 .. _`PEP 503`: https://www.python.org/dev/peps/pep-0503/