Skip to content

Update dependency pip to v26 [SECURITY]#58

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability
Open

Update dependency pip to v26 [SECURITY]#58
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-pip-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Oct 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pip (changelog) ~=24.0~=26.0 age adoption passing confidence
pip (changelog) ==24.0==26.0 age adoption passing confidence

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

CVE-2025-8869 / GHSA-4xh5-x5gv-qwph

More information

Details

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pip Path Traversal vulnerability

CVE-2026-1703 / GHSA-6vgw-5pg2-w6jp

More information

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pypa/pip (pip)

v26.0

Compare Source

v25.3

Compare Source

v25.2

Compare Source

v25.1.1

Compare Source

v25.1

Compare Source

v25.0.1

Compare Source

v25.0

Compare Source

v24.3.1

Compare Source

v24.3

Compare Source

v24.2

Compare Source

v24.1.2

Compare Source

v24.1.1

Compare Source

v24.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovatebot label Oct 26, 2025
@renovate renovate bot requested a review from a team as a code owner October 26, 2025 04:17
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Oct 26, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: model-servers/vllm/0.11.0/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-uz5r4xsv-requirements/pipenv-cg8bken5-constraints.txt 
(line 17) and triton==3.2.0 because these package versions have conflicting 
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested triton==3.2.0
    torch 2.8.0+cu126 depends on triton==3.4.0; platform_system == "Linux" and 
platform_machine == "x86_64"
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    triton
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested triton==3.2.0
    torch 2.8.0+cu126 depends on triton==3.4.0; platform_system == "Linux" and 
platform_machine == "x86_64"

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1355, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1155, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.4/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-mhcvy_ez-requirements/pipenv-lwdgn7pr-constraints.txt 
(line 4) and torch==2.3.0+cu121 because these package versions have conflicting 
dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    vllm-flash-attn 2.6.2 depends on torch==2.4.0
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    torch
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested torch==2.3.0+cu121
    vllm-flash-attn 2.6.2 depends on torch==2.4.0

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1355, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1155, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.6.6/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-zzr6uh51-requirements/pipenv-05jm1q_0-constraints.txt 
(line 35) and transformers~=4.40.2 because these package versions have 
conflicting dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested transformers~=4.40.2
    vllm 0.6.6 depends on transformers>=4.45.2
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    transformers
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested transformers~=4.40.2
    vllm 0.6.6 depends on transformers>=4.45.2

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1355, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1155, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!
File name: model-servers/vllm/0.8.4/Pipfile.lock
Command failed: pipenv lock
Locking  dependencies...
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Cannot 
install -r /tmp/pipenv-advr09v1-requirements/pipenv-yclniakb-constraints.txt 
(line 14), -r /tmp/pipenv-advr09v1-requirements/pipenv-yclniakb-constraints.txt 
(line 4) and transformers~=4.40.2 because these package versions have 
conflicting dependencies.
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:
The conflict is caused by:
    The user requested transformers~=4.40.2
    outlines 0.0.34 depends on transformers
    vllm 0.8.4 depends on transformers>=4.51.1
Additionally, some packages in these conflicts have no matching distributions 
available for your environment:
    transformers
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip to attempt to solve the dependency 
conflict
Your dependencies could not be resolved. You likely have a mismatch in your 
sub-dependencies.
You can use $ pipenv run pip install <requirement_name> to bypass this 
mechanism, then run $ pipenv graph to inspect the versions actually installed in
the virtualenv.
Hint: try $ pipenv lock --pre if it is a pre-release dependency.
Hint: try $ pipenv lock --verbose to see the full dependency resolution output.
ERROR: ResolutionImpossible: for help visit 
https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-depende
ncy-conflicts
The conflict is caused by:
    The user requested transformers~=4.40.2
    outlines 0.0.34 depends on transformers
    vllm 0.8.4 depends on transformers>=4.51.1

Hint: Re-run with --verbose to see the full dependency resolution output and 
identify which packages are in conflict.
Traceback (most recent call last):
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/routines/lock.py", line 94, in do_lock
    venv_resolve_deps(
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1355, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File 
"/opt/containerbase/tools/pipenv/2026.5.0/3.11.15/lib/python3.11/site-packages/p
ipenv/utils/resolver.py", line 1155, in resolve
    raise ResolutionFailure("Failed to lock Pipfile.lock!")
pipenv.exceptions.ResolutionFailure: ERROR: Failed to lock Pipfile.lock!

@renovate renovate bot added the renovatebot label Oct 26, 2025
@renovate
Update dependency pip to v26 [SECURITY]
b9d33e4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/pypi-pip-vulnerability branch from 4ed7f89 to b9d33e4 Compare February 3, 2026 20:12
@renovate renovate bot changed the title Update dependency pip to v25 [SECURITY] Update dependency pip to v26 [SECURITY] Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovatebot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants