gh-112516: Update bundled pip version to 23.3.1

[schribl]

closes: #112516
xref: pypa/pip#12370

As this also fixes some security issues within the vendored/bundled libraries this should also be backported to older releases in my opinion. I can do this manually if an automated attempt fails, but I would first wait for a recommendation on what versions this might get backported to.

• Issue: Update the bundled version of pip to 23.3.1 #112516

[ghost]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[sethmlarson]

Checked the .whl file at and it matches the SHA256 on PyPI:

$ wget https://github.com/python/cpython/raw/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl

--2023-12-04 11:24:03--  https://github.com/python/cpython/raw/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/python/cpython/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl [following]
--2023-12-04 11:24:03--  https://raw.githubusercontent.com/python/cpython/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2107242 (2.0M) [application/octet-stream]
Saving to: ‘pip-23.3.1-py3-none-any.whl’

pip-23.3.1-py3-none-any.whl                         100%[==================================================================================================================>]   2.01M  4.65MB/s    in 0.4s    s

2023-12-04 11:24:04 (4.65 MB/s) - ‘pip-23.3.1-py3-none-any.whl’ saved [2107242/2107242]

$ sha256sum pip-23.3.1-py3-none-any.whl 
55eb67bb6171d37447e82213be585b75fe2b12b359e993773aca4de9247a052b  pip-23.3.1-py3-none-any.whl

In a separate directory:

$ python -m pip download pip

Collecting pip
  Obtaining dependency information for pip from https://files.pythonhosted.org/packages/47/6a/453160888fab7c6a432a6e25f8afe6256d0d9f2cbd25971021da6491d899/pip-23.3.1-py3-none-any.whl.metadata
  Using cached pip-23.3.1-py3-none-any.whl.metadata (3.5 kB)
Using cached pip-23.3.1-py3-none-any.whl (2.1 MB)
Saved ./pip-23.3.1-py3-none-any.whl
Successfully downloaded pip

[notice] A new release of pip is available: 23.2.1 -> 23.3.1
[notice] To update, run: pip install --upgrade pip

$ sha256sum pip-23.3.1-py3-none-any.whl 
55eb67bb6171d37447e82213be585b75fe2b12b359e993773aca4de9247a052b  pip-23.3.1-py3-none-any.whl

Those hashes match, therefore we should be fine to merge the commit: e7fe645

[miss-islington-app]

Thanks @schribl for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @schribl for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

[miss-islington-app]

Sorry, @schribl and @ambv, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 1e4680ce52ab6c065f5e0bb27e0b156b897aff67 3.11

[bedevere-app]

GH-112718 is a backport of this pull request to the 3.12 branch.

[sethmlarson]

I'm handling the 3.11 backport.

[bedevere-app]

GH-112719 is a backport of this pull request to the 3.11 branch.

[ywluogg]

I'm handling the 3.11 backport.

Hi I'm curious if this would be backported to 3.8 version? Thanks

[hugovk]

Python 3.8 only gets security fixes, and 3.8 releases are now provided as source only, so I don't think this qualifies for backporting on either count.

• https://devguide.python.org/versions/
• https://peps.python.org/pep-0569/#source-only-security-fix-releases
• https://devguide.python.org/developer-workflow/development-cycle/#security-branches

You can update pip through pip (e.g. python -m pip install --upgrade pip) or through your distro package manager.

[ywluogg]

I think what we've observed is that there's a vulnability in pip 23.2, and pip 23.3 would fix it, do you think this would qualify a bump for the security fix? https://nvd.nist.gov/vuln/detail/CVE-2023-5752

[ywluogg]

I'm also curious about the statement "Provided irregularly on an “as-needed” basis until October 2024." What are the regular security fixes that the community is watching an eye on for 3.8 to do the source fix?

[hugovk]

I think what we've observed is that there's a vulnability in pip 23.2, and pip 23.3 would fix it, do you think this would qualify a bump for the security fix? nvd.nist.gov/vuln/detail/CVE-2023-5752

I don't think so, but it's up to the release managers and security team to decide. My understanding is that the CVE would only affect people trying to install a package from a Mercurial repo. Plus I'm not sure how worthwhile it is updating a pip binary file in a source-only release, when pip can be directly updated in other ways.

But let's ask 3.8 release manager @ambv to confirm.

I'm also curious about the statement "Provided irregularly on an “as-needed” basis until October 2024." What are the regular security fixes that the community is watching an eye on for 3.8 to do the source fix?

It means there are no longer planned release dates for new 3.8 versions. If a security fix comes up that is important enough to warrant a 3.8 release, one will be made at that time.