Skip to content

Bump pip from 24.0 to 24.3.1#1685

Merged
edmorley merged 3 commits intomainfrom
dependabot/pip/pip-24.3.1
Dec 3, 2024
Merged

Bump pip from 24.0 to 24.3.1#1685
edmorley merged 3 commits intomainfrom
dependabot/pip/pip-24.3.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Nov 1, 2024
edited
Loading

Bumps pip from 24.0 to 24.3.1.

Changelog

Sourced from pip's changelog.

24.3.1 (2024-10-27)

Bug Fixes

  • Allow multiple nested inclusions of the same requirements file again. ([#13046](https://github.com/pypa/pip/issues/13046) <https://github.com/pypa/pip/issues/13046>_)

24.3 (2024-10-27)

Deprecations and Removals

  • Deprecate wheel filenames that are not compliant with :pep:440. ([#12918](https://github.com/pypa/pip/issues/12918) <https://github.com/pypa/pip/issues/12918>_)

Features

  • Detect recursively referencing requirements files and help users identify the source. ([#12653](https://github.com/pypa/pip/issues/12653) <https://github.com/pypa/pip/issues/12653>_)
  • Support for :pep:730 iOS wheels. ([#12961](https://github.com/pypa/pip/issues/12961) <https://github.com/pypa/pip/issues/12961>_)

Bug Fixes

  • Display a better error message when an already installed package has an invalid requirement. ([#12953](https://github.com/pypa/pip/issues/12953) <https://github.com/pypa/pip/issues/12953>_)
  • Ignore PIP_TARGET and pip.conf global.target when preparing a build environment. ([#8438](https://github.com/pypa/pip/issues/8438) <https://github.com/pypa/pip/issues/8438>_)
  • Restore support for macOS 10.12 and older (via truststore). ([#12901](https://github.com/pypa/pip/issues/12901) <https://github.com/pypa/pip/issues/12901>_)
  • Allow installing pip in editable mode in a virtual environment on Windows. ([#12666](https://github.com/pypa/pip/issues/12666) <https://github.com/pypa/pip/issues/12666>_)

Vendored Libraries

  • Upgrade certifi to 2024.8.30
  • Upgrade distlib to 0.3.9
  • Upgrade truststore to 0.10.0
  • Upgrade urllib3 to 1.26.20

24.2 (2024-07-28)

Deprecations and Removals

  • Deprecate pip install --editable falling back to setup.py develop when using a setuptools version that does not support :pep:660 (setuptools v63 and older). ([#11457](https://github.com/pypa/pip/issues/11457) <https://github.com/pypa/pip/issues/11457>_)

Features

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot requested a review from edmorley as a code owner November 1, 2024 09:33
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Dependabot pull requests that update Python dependencies labels Nov 1, 2024
@dependabot dependabot Bot mentioned this pull request Nov 1, 2024
Closed
@edmorley edmorley removed their request for review November 1, 2024 09:38
@edmorley
Copy link
Copy Markdown
Member

edmorley commented Dec 3, 2024

@dependabot recreate

@dependabot
Bump pip from 24.0 to 24.3.1
c207483 
Bumps [pip](https://github.com/pypa/pip) from 24.0 to 24.3.1.
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@24.0...24.3.1)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-24.3.1 branch from 2148514 to c207483 Compare December 3, 2024 12:07
@edmorley edmorley requested a review from a team as a code owner December 3, 2024 13:02
@edmorley edmorley merged commit 6be689b into main Dec 3, 2024
@edmorley edmorley deleted the dependabot/pip/pip-24.3.1 branch December 3, 2024 13:13
Ken4scholars added a commit to weoutfun/heroku-buildpack-python that referenced this pull request Dec 3, 2024
@Ken4scholars
Revert "Bump pip from 24.0 to 24.3.1 (heroku#1685)"
eeabe6c 
This reverts commit 6be689b.
@heroku-linguist heroku-linguist Bot mentioned this pull request Dec 4, 2024
Merged
@edmorley
Copy link
Copy Markdown
Member

edmorley commented Dec 4, 2024
edited
Loading

Note: As of pip 24.1+, packages with invalid metadata are now rejected:
https://pip.pypa.io/en/stable/news/#b1-2024-05-06
pypa/pip#12063

This follows on from the deprecation warning that pip has been showing since pip 23.2 (released July 2023):
pypa/pip#11945

If you see pip output mentioning ignoring dependencies due to invalid metadata you will need to upgrade to newer versions of those dependencies.

For example, when using Celery versions 5.2.0 and older it is expected that the build will now fail with:

-----> Installing dependencies using 'pip install -r requirements.txt'
       Collecting typing-extensions==4.12.2 (from -r requirements.txt (line 5))
         Downloading typing_extensions-4.12.2-py3-none-any.whl.metadata (3.0 kB)
       Collecting celery==5.2.0 (from -r requirements.txt (line 6))
         Downloading celery-5.2.0-py3-none-any.whl.metadata (20 kB)
       WARNING: Ignoring version 5.2.0 of celery since it has invalid metadata:
       Requested celery==5.2.0 from https://files.pythonhosted.org/packages/76/f3/1299844327e0da1a89dfeffc0ee72dee80ed029df60c1634be708e7115fb/celery-5.2.0-py3-none-any.whl (from -r requirements.txt (line 6)) has invalid metadata: Expected matching RIGHT_PARENTHESIS for LEFT_PARENTHESIS, after version specifier
           pytz (>dev)
                ~^
       Please use pip<24.1 if you need to use this version.
       ERROR: Ignored the following yanked versions: 5.0.6, 5.2.5
       ERROR: Could not find a version that satisfies the requirement celery==5.2.0 (from versions: 0.1.2, 0.1.4, 0.1.6, 0.1.7, 0.1.8, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.2.0, 0.3.0, 0.3.7, 0.3.20, 0.4.0, 0.4.1, 0.6.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26.post1, 3.1.26.post2, 4.0.0rc3, 4.0.0rc4, 4.0.0rc5, 4.0.0rc6, 4.0.0rc7, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0rc1, 4.2.0rc2, 4.2.0rc3, 4.2.0rc4, 4.2.0, 4.2.1, 4.2.2, 4.3.0rc1, 4.3.0rc2, 4.3.0rc3, 4.3.0, 4.3.1, 4.4.0rc1, 4.4.0rc2, 4.4.0rc3, 4.4.0rc4, 4.4.0rc5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 5.0.0a1, 5.0.0a2, 5.0.0b1, 5.0.0rc1, 5.0.0rc2, 5.0.0rc3, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0b1, 5.1.0b2, 5.1.0rc1, 5.1.0, 5.1.1, 5.1.2, 5.2.0b1, 5.2.0b2, 5.2.0b3, 5.2.0rc1, 5.2.0rc2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.6, 5.2.7, 5.3.0a1, 5.3.0b1, 5.3.0b2, 5.3.0rc1, 5.3.0rc2, 5.3.0, 5.3.1, 5.3.4, 5.3.5, 5.3.6, 5.4.0rc1, 5.4.0rc2, 5.4.0, 5.5.0b1, 5.5.0b2, 5.5.0b3, 5.5.0b4, 5.5.0rc1, 5.5.0rc2, 5.5.0rc3)
       ERROR: No matching distribution found for celery==5.2.0

 !     Error: Unable to install dependencies using pip.
 !     
 !     See the log output above for more information.

Previously (both on Heroku and in your local development environments/CI), pip will have been displaying this deprecation warning:

DEPRECATION: celery 5.2.0 has a non-standard dependency specifier pytz>dev. pip 24.1 will enforce
this behaviour change. A possible replacement is to upgrade to a newer version of celery or contact
the author to suggest that they release a version with a conforming dependency specifiers.
Discussion can be found at https://github.com/pypa/pip/issues/12063

If you use celery, you must upgrade to v5.2.1 (released in 2021) or newer, to pick up this upstream fix:
celery/celery#7074

If you are upgrading from Celery 4.x to 5.x, you will need to follow the upgrading steps here:
https://docs.celeryq.dev/en/stable/history/whatsnew-5.0.html#upgrading-from-celery-4-x

And as always, we recommend keeping your dependencies up to date in general - eg by setting up Dependabot:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates

@edmorley
Copy link
Copy Markdown
Member

edmorley commented Dec 4, 2024

https://devcenter.heroku.com/changelog-items/3073

@edmorley edmorley mentioned this pull request Dec 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edmorley edmorley edmorley approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Dependabot pull requests that update Python dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edmorley