Skip to content

Commit

Permalink
Update vendored Pip's CA cert bundle. (#2476)
Browse files Browse the repository at this point in the history
This pulls in a new vendored version of Pip with an updated certifi CA
cert bundle from the latest certifi release version that addresses at
least https://nvd.nist.gov/vuln/detail/CVE-2023-37920.
  • Loading branch information
jsirois authored Jul 25, 2024
1 parent 9bf28ed commit 9ddabde
Show file tree
Hide file tree
Showing 5 changed files with 1,461 additions and 1,249 deletions.
14 changes: 14 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
# Release Notes

## 2.12.1

This release refreshes the root CA cert bundle used by
`--pip-version vendored` (which is the default Pip Pex uses for
Python `<3.12`) from [certifi 2019.9.11](
https://pypi.org/project/certifi/2019.9.11/)'s `cacert.pem` to
[certifi 2024.7.4](https://pypi.org/project/certifi/2024.7.4/)'s
`cacert.pem`. This refresh addresses at least [CVE-2023-37920](
https://nvd.nist.gov/vuln/detail/CVE-2023-37920) and was spearheaded by
a contribution from [Nash Kaminski](https://github.com/gs-kamnas) in
https://github.com/pex-tool/pip/pull/12. Thank you, Nash!

* Update vendored Pip's CA cert bundle. (#2476)

## 2.12.0

This release adds support for passing `--site-packages-copies` to both
Expand Down
7 changes: 5 additions & 2 deletions pex/vendor/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ def iter_vendor_specs(filter_requires_python=None):
# We shell out to pip at buildtime to resolve and install dependencies.
# N.B.: We're currently using a patched version of Pip 20.3.4 housed at
# https://github.com/pex-tool/pip/tree/pex/patches/generation-2.
# It has 3 patches:
# It has 4 patches:
# 1.) https://github.com/pex-tool/pip/commit/06f462537c981116c763c1ba40cf40e9dd461bcf
# The patch works around a bug in `pip download --constraint...` tracked at
# https://github.com/pypa/pip/issues/9283 and fixed by https://github.com/pypa/pip/pull/9301
Expand All @@ -222,9 +222,12 @@ def iter_vendor_specs(filter_requires_python=None):
# https://github.com/pypa/pip/commit/601bcf82eccfbc15c1ff6cc735aafb2c9dab81a5
# (https://github.com/pypa/pip/pull/12716) from upstream that fixes glibc version probing on
# musl libc systems.
# 4.) https://github.com/pex-tool/pip/commit/48508331d331a1c326b0eccf4aac7476bc7ccca8
# This sets up and runs the 1st semi-automated update of Pip's vendored certifi's cacert.pem
# bringing it up to date with certifi 2024.7.4.
yield VendorSpec.git(
repo="https://github.com/pex-tool/pip",
commit="00827ec9f4275a7786425cf006466c56f4cbd862",
commit="48508331d331a1c326b0eccf4aac7476bc7ccca8",
project_name="pip",
rewrite=False,
)
Expand Down
2 changes: 1 addition & 1 deletion pex/vendor/_vendored/pip/.layout.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"fingerprint": "23b678435eebb1c7423541b5663bdc518833a4b75a3a3a2192466a37cd7b1861", "record_relpath": "pip-20.3.4.dist-info/RECORD", "root_is_purelib": true, "stash_dir": ".prefix"}
{"fingerprint": "25dd234e8b019eac998222a76fbbdeb4c28b7185edc84230f101adf0a27a4f88", "record_relpath": "pip-20.3.4.dist-info/RECORD", "root_is_purelib": true, "stash_dir": ".prefix"}
Loading

0 comments on commit 9ddabde

Please sign in to comment.