Merge branch 'main' into feature/no-download-for-dry-run

Author: notatallshaw

.pre-commit-config.yaml

@@ -17,18 +17,18 @@ repos:
     exclude: .patch
 
 - repo: https://github.com/psf/black-pre-commit-mirror
-  rev: 25.1.0
+  rev: 25.9.0
   hooks:
   - id: black
 
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.12.11
+  rev: v0.13.3
   hooks:
     - id: ruff-check
       args: [--fix]
 
 - repo: https://github.com/pre-commit/mirrors-mypy
-  rev: v1.17.1
+  rev: v1.18.2
   hooks:
   - id: mypy
     exclude: tests/data

docs/html/cli/pip_freeze.rst

@@ -23,6 +23,15 @@ Description
 
 .. pip-command-description:: freeze
 
+.. note::
+   By default, ``pip freeze`` omits bootstrap packaging tools so the output
+   focuses on your project’s dependencies. On Python **3.11 and earlier**
+   this excludes ``pip``, ``setuptools``, ``wheel`` and ``distribute``; on
+   Python **3.12 and later** only ``pip`` is excluded. Use ``--all`` to
+   include those packages when you need a complete environment snapshot.
+   ``pip freeze`` reports what is installed; it does **not** compute a
+   lockfile or a solver result.
+
 
 Options
 =======

docs/html/cli/pip_install.rst

@@ -479,12 +479,11 @@ Examples
 
    .. warning::
 
-       Using this option to search for packages which are not in the main
-       repository (such as private packages) is unsafe, per a security
-       vulnerability called
-       `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_:
-       an attacker can claim the package on the public repository in a way that
-       will ensure it gets chosen over the private package.
+       Using the ``--extra-index-url`` option to search for packages which are
+       not in the main repository (for example, private packages) is unsafe.
+       This is a class of security issue known as `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_: an
+       attacker can publish a package with the same name to a public index,
+       which may then be chosen instead of your private package.
 
    .. tab:: Unix/macOS
 

docs/html/cli/pip_lock.rst

@@ -35,7 +35,7 @@ Options
 Examples
 ========
 
-#. Emit a ``pylock.toml`` for the the project in the current directory
+#. Emit a ``pylock.toml`` for the project in the current directory
 
    .. tab:: Unix/macOS
 

docs/html/topics/dependency-resolution.md

@@ -165,6 +165,9 @@ will avoid performing dependency resolution during deployment.
 
 ## Dealing with dependency conflicts
 
+This section uses hypothetical packages (`package_coffee`, `package_tea`, and
+`package_water`) to explain how pip resolves conflicts.
+
 This section provides practical suggestions to pip users who encounter
 a `ResolutionImpossible` error, where pip cannot install their specified
 packages due to conflicting dependencies.
@@ -194,6 +197,11 @@ because they each depend on different versions of the same package
 - ``package_tea`` version ``4.3.0`` depends on version ``2.3.1`` of
   ``package_water``
 
+Note: `package_coffee`, `package_tea`, and `package_water` are hypothetical
+packages used only to illustrate dependency conflicts. They are not real
+projects you can install.
+
+
 Sometimes these messages are straightforward to read, because they use
 commonly understood comparison operators to specify the required version
 (e.g. `<` or `>`).
@@ -252,10 +260,10 @@ the same version of `package_water`, you might consider:
 
 In the second case, pip will automatically find a version of both
 `package_coffee` and `package_tea` that depend on the same version of
-`package_water`, installing:
+`package_water`, for example:
 
 - `package_coffee 0.44.1`, which depends on `package_water 2.6.1`
-- `package_tea 4.4.3` which _also_ depends on `package_water 2.6.1`
+- `package_tea 4.4.3`, which also depends on `package_water 2.6.1`
 
 If you want to prioritize one package over another, you can add version
 specifiers to _only_ the more important package:

news/13561.doc.rst

@@ -0,0 +1 @@
+Clarified dependency resolution docs: added note on hypothetical packages, fixed version mismatch, and added introduction line.

news/certifi.vendor.rst

@@ -0,0 +1 @@
+Upgrade certifi to 2025.10.5

news/msgpack.vendor.rst

@@ -0,0 +1 @@
+Upgrade msgpack to 1.1.2

news/platformdirs.vendor.rst

@@ -0,0 +1 @@
+Upgrade platformdirs to 4.5.0

news/requests.vendor.rst

@@ -0,0 +1 @@
+Upgrade requests to 2.32.5