Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add flag to force pip to always fetch password from keyring #10269

Closed
rittneje opened this issue Aug 4, 2021 · 13 comments · Fixed by #10288
Closed

Add flag to force pip to always fetch password from keyring #10269

rittneje opened this issue Aug 4, 2021 · 13 comments · Fixed by #10288
Labels
type: feature request Request for a new feature

Comments

@rittneje
Copy link
Contributor

rittneje commented Aug 4, 2021

What's the problem this feature will solve?

I am trying to fetch modules from a private server. In order to avoid storing this password in filesystem or environment, I have added it to keyring instead. I have also set https://username@my-private-server.com as global.index-url in my pip.conf.

Based upon the verbose logs from pip install, it seems that pip will first do the request without a password, get a 401, and then fetch the password from keyring.

Describe the solution you'd like

There should be a way to force pip to always fetch the password from keyring in the first place. This would prevent it from spamming the server with unauthenticated requests.

Alternative Solutions

I don't want to put the password in plaintext in my pip.conf or environment variables, so I'm not aware of any alternative solution.

Additional context

n/a

@uranusjr
Copy link
Member

uranusjr commented Aug 5, 2021

Hi! Would you be interested in working on a solution to this? We can first produce a prototype that makes pip switch behaviour (maybe based on an environment variable first) and work out a good way to present the functionality to users from there.

@uranusjr uranusjr added the type: feature request Request for a new feature label Aug 5, 2021
@rittneje
Copy link
Contributor Author

rittneje commented Aug 6, 2021

I'll give it a try. One thing I'm wondering is whether it would make more sense to have a different env var for PIP_USERNAME or something to that effect, since as I understand it, just putting it in PIP_INDEX_URL is ambiguous between it being a (secret) token, or a username. Then if PIP_INDEX_URL includes no auth info, but PIP_USERNAME is set, it would know to fetch the password from keyring in the first place. That could also simplify things with pipenv (assuming it incorporates the same general change), since that way the Pipfile would just include the index url verbatim rather than having to interpolate env vars in it. Meanwhile for CI/CD cases the build server can set PIP_USERNAME and PIP_PASSWORD (or PIP_TOKEN, depending on the auth style). Thoughts?

By the way, for context our private repo is hosted on Artifactory. Due to a bug on their end, the repeated unauthenticated requests from pip cause it to return 403 at random when it shouldn't. So this fix would also resolve that issue.

@uranusjr
Copy link
Member

uranusjr commented Aug 7, 2021

The problem is you can have index URLs, and when you do that PIP_USERNAME won’t make sense. The config must be per-index.

@rittneje
Copy link
Contributor Author

rittneje commented Aug 7, 2021

Hmm, wouldn't you have the same general problem with some "always auth with keyring" flag then?

@uranusjr
Copy link
Member

uranusjr commented Aug 7, 2021

My understanding is we store index URL auths per-domain in keyring, and uses keyring.get_password()’s service key to get the corresponding one for an index. An “always use keyring” flag would make pip ask keyring for every URL, but keyring can return different answers for them.

You can find this logic in pip._internal.network.auth.

@rittneje
Copy link
Contributor Author

rittneje commented Aug 7, 2021

I see. Actually, I do have another question after trying to read through the code. In my case, the index url only contained a username, not a password (or even a colon). But the code seems to have checks of the form if username is not None and password is not None. So then, why didn't it fallthrough to keyring under the existing logic? It appears to be due to this:

username, password = self._get_new_credentials(original_url)

When the request is first sent, keyring isn't even consulted, because for some reason allow_keyring=True is not passed the first time. Instead, it only allows keyring after a 401. Do you know why that is? I can't think of any reason that it shouldn't try to fetch from keyring if the index url contains a username with no password. I would think changing that behavior to simply fetch from keyring unconditionally would resolve my issue without any need for a new flag.

# If we don't have a password and keyring is available, use it.
if allow_keyring:
# The index url is more specific than the netloc, so try it first
# fmt: off
kr_auth = (
get_keyring_auth(index_url, username) or
get_keyring_auth(netloc, username)
)
# fmt: on
if kr_auth:
logger.debug("Found credentials in keyring for %s", netloc)
return kr_auth

@uranusjr
Copy link
Member

uranusjr commented Aug 8, 2021

That line is for cases where the file URL contains auth. The index part is after the self._get_index_url(url) line.

Edit: Oops, sorry, I misread the comment.

The first 401 pass is intentional so keyring is not hit when the URL does not actually need authentication, which is the vast majority of cases. The keyring can pretty slow (depending on the back-end), and we want to make it as nonintrusive as possible for most people. If pip is a corporate tool we would probably always go through keyring, but pip is FOSS, and 99% (impression number without evidence, don’t quote me) of our users are only using FOSS indexes, so we prioritise them.

@rittneje
Copy link
Contributor Author

rittneje commented Aug 8, 2021

Upon further review of the code, I think I've found a bug that, if fixed, will mostly resolve my issue without needing any new flags, and without incurring a performance hit for the majority case.

After fetching the password from keyring, it caches the credentials for later.

# Store the new username and password to use for future requests
self._credentials_to_save = None
if username is not None and password is not None:
self.passwords[parsed.netloc] = (username, password)

However, the cache is only consulted if the index url has no credentials at all.

# If credentials not found, use any stored credentials for this netloc
if username is None and password is None:
username, password = self.passwords.get(netloc, (None, None))

Instead, the cache lookup should be this:

if (username is None or password is None) and netloc in self.passwords:
    un, pw = self.passwords[netloc]
    if username is None or username == un:
        username, password = un, pw

Separately, it would be nice to avoid the initial 401 by always consulting keyring in the first place. But that seems more complicated to do correctly, and less necessary if the cache lookup is fixed.

@uranusjr
Copy link
Member

uranusjr commented Aug 8, 2021

Again, always checking keyring unconditionally would not be an option, because we don’t want to acces keyring unless necessary. Checking the cached entry sounds like a doable change, but I think we need to make self.passwords smarter, otherwise you won’t be able to cache the username-password set you got when username != un is not None. This goes back to the point that keyring can be pretty slow…

@rittneje
Copy link
Contributor Author

rittneje commented Aug 8, 2021

Right, that is one of the reasons I was saying that being able to force it to consult keyring in the first place is more complicated.

I think we need to make self.passwords smarter, otherwise you won’t be able to cache the username-password set you got when username != un is not None.

I didn't understand this point. My modified condition for using cached credentials will handle it fine. The only time it doesn't work is when there are two index urls in play for the same hostname with different embedded usernames. But that seems like a pretty bizarre use case, and it would already not be using the cache today anyway.

@uranusjr
Copy link
Member

uranusjr commented Aug 8, 2021

The only time it doesn't work is when there are two index urls in play for the same hostname with different embedded usernames

Isn’t this what your username == un part is checking? I think I am becoming confused whith the snippets now. Maybe it would be easier to discuss this if you could submit this as a PR with some tests to illustrate its usage.

@rittneje
Copy link
Contributor Author

rittneje commented Aug 8, 2021

Yes, by "doesn't work", I just meant that it won't really function as a cache. It won't mix up the passwords though.

I've opened #10288 as a draft PR. I have not tried to run it myself, or even run the unit tests.

@rittneje
Copy link
Contributor Author

@uranusjr Please take a look at that PR when you have a chance.

inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Oct 12, 2021
Bumps [pip](https://github.com/pypa/pip) from 21.2.4 to 21.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>21.3 (2021-10-11)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Improve deprecation warning regarding the copying of source trees when installing from a local directory. (<code>[#10128](pypa/pip#10128) &lt;https://github.com/pypa/pip/issues/10128&gt;</code>_)</li>
<li>Suppress location mismatch warnings when pip is invoked from a Python source
tree, so <code>ensurepip</code> does not emit warnings on CPython <code>make install</code>. (<code>[#10270](pypa/pip#10270) &lt;https://github.com/pypa/pip/issues/10270&gt;</code>_)</li>
<li>On Python 3.10 or later, the installation scheme backend has been changed to use
<code>sysconfig</code>. This is to anticipate the deprecation of <code>distutils</code> in Python
3.10, and its scheduled removal in 3.12. For compatibility considerations, pip
installations running on Python 3.9 or lower will continue to use <code>distutils</code>. (<code>[#10358](pypa/pip#10358) &lt;https://github.com/pypa/pip/issues/10358&gt;</code>_)</li>
<li>Remove the <code>--build-dir</code> option and aliases, one last time. (<code>[#10485](pypa/pip#10485) &lt;https://github.com/pypa/pip/issues/10485&gt;</code>_)</li>
<li>In-tree builds are now the default. <code>--use-feature=in-tree-build</code> is now
ignored. <code>--use-deprecated=out-of-tree-build</code> may be used temporarily to ease
the transition. (<code>[#10495](pypa/pip#10495) &lt;https://github.com/pypa/pip/issues/10495&gt;</code>_)</li>
<li>Un-deprecate source distribution re-installation behaviour. (<code>[#8711](pypa/pip#8711) &lt;https://github.com/pypa/pip/issues/8711&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Replace vendored appdirs with platformdirs. (<code>[#10202](pypa/pip#10202) &lt;https://github.com/pypa/pip/issues/10202&gt;</code>_)</li>
<li>Support <code>PEP 610 &lt;https://www.python.org/dev/peps/pep-0610/&gt;</code>_ to detect
editable installs in <code>pip freeze</code> and  <code>pip list</code>. The <code>pip list</code> column output
has a new <code>Editable project location</code> column, and the JSON output has a new
<code>editable_project_location</code> field. (<code>[#10249](pypa/pip#10249) &lt;https://github.com/pypa/pip/issues/10249&gt;</code>_)</li>
<li><code>pip freeze</code> will now always fallback to reporting the editable project
location when it encounters a VCS error while analyzing an editable
requirement. Before, it sometimes reported the requirement as non-editable. (<code>[#10410](pypa/pip#10410) &lt;https://github.com/pypa/pip/issues/10410&gt;</code>_)</li>
<li><code>pip show</code> now sorts <code>Requires</code> and <code>Required-By</code> alphabetically. (<code>[#10422](pypa/pip#10422) &lt;https://github.com/pypa/pip/issues/10422&gt;</code>_)</li>
<li>Do not raise error when there are no files to remove with <code>pip cache purge/remove</code>.
Instead log a warning and continue (to log that we removed 0 files). (<code>[#10459](pypa/pip#10459) &lt;https://github.com/pypa/pip/issues/10459&gt;</code>_)</li>
<li>When backtracking during dependency resolution, prefer the dependencies which are involved in the most recent conflict. This can significantly reduce the amount of backtracking required. (<code>[#10479](pypa/pip#10479) &lt;https://github.com/pypa/pip/issues/10479&gt;</code>_)</li>
<li>Cache requirement objects, to improve performance reducing reparses of requirement strings. (<code>[#10550](pypa/pip#10550) &lt;https://github.com/pypa/pip/issues/10550&gt;</code>_)</li>
<li>Support editable installs for projects that have a <code>pyproject.toml</code> and use a
build backend that supports :pep:<code>660</code>. (<code>[#8212](pypa/pip#8212) &lt;https://github.com/pypa/pip/issues/8212&gt;</code>_)</li>
<li>When a revision is specified in a Git URL, use git's partial clone feature to speed up source retrieval. (<code>[#9086](pypa/pip#9086) &lt;https://github.com/pypa/pip/issues/9086&gt;</code>_)</li>
<li>Add a <code>--debug</code> flag, to enable a mode that doesn't log errors and propagates them to the top level instead. This is primarily to aid with debugging pip's crashes. (<code>[#9349](pypa/pip#9349) &lt;https://github.com/pypa/pip/issues/9349&gt;</code>_)</li>
<li>If a host is explicitly specified as trusted by the user (via the --trusted-host option), cache HTTP responses from it in addition to HTTPS ones. (<code>[#9498](pypa/pip#9498) &lt;https://github.com/pypa/pip/issues/9498&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Present a better error message, when a <code>file:</code> URL is not found. (<code>[#10263](pypa/pip#10263) &lt;https://github.com/pypa/pip/issues/10263&gt;</code>_)</li>
<li>Fix the auth credential cache to allow for the case in which
the index url contains the username, but the password comes
from an external source, such as keyring. (<code>[#10269](pypa/pip#10269) &lt;https://github.com/pypa/pip/issues/10269&gt;</code>_)</li>
<li>Fix double unescape of HTML <code>data-requires-python</code> and <code>data-yanked</code> attributes. (<code>[#10378](pypa/pip#10378) &lt;https://github.com/pypa/pip/issues/10378&gt;</code>_)</li>
<li>New resolver: Fixes depth ordering of packages during resolution, e.g. a dependency 2 levels deep will be ordered before a dependecy 3 levels deep. (<code>[#10482](pypa/pip#10482) &lt;https://github.com/pypa/pip/issues/10482&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/abec8a701bfa66aa15fedf4c898011aa2d95f29e"><code>abec8a7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/68a70486c9224f9d25be3cbf56c73d8a33c6a713"><code>68a7048</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/9f18a403ca41f4e42fbb89d286b6571a099cb54b"><code>9f18a40</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10481">#10481</a> from notatallshaw/prefer_failures</li>
<li><a href="https://github.com/pypa/pip/commit/db496cbce518fa159476695db0cd4f1c1a8ab6f5"><code>db496cb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10563">#10563</a> from pradyunsg/shorter-timeout</li>
<li><a href="https://github.com/pypa/pip/commit/4fac2b90a5d200b46e7b576013bb25f4ebb3f937"><code>4fac2b9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10550">#10550</a> from jbylund/joe/cache_requirement_creation</li>
<li><a href="https://github.com/pypa/pip/commit/786957cf85a641d49b4cfcceef717ef229ac8238"><code>786957c</code></a> Use a shorter timeout, to ensure that this fails more often</li>
<li><a href="https://github.com/pypa/pip/commit/1e3c127d4a938643aca1bbc25e6581493e316476"><code>1e3c127</code></a> Avoid passing <code>.</code> to vendoring</li>
<li><a href="https://github.com/pypa/pip/commit/610424f9f8ad1f99d0a48bf9a53e7a9df4242304"><code>610424f</code></a> Quote &quot;PreferenceInformation&quot; to avoid runtime NameError</li>
<li><a href="https://github.com/pypa/pip/commit/c01b5c6d8a4858cf733408b4b020933f902dda9e"><code>c01b5c6</code></a> Update a test for resolvelib 0.8.0</li>
<li><a href="https://github.com/pypa/pip/commit/394a24eb1a5f9af5da7d4d2452ed5fe952de5db2"><code>394a24e</code></a> Upgrade resolvelib to 0.8.0</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/21.2.4...21.3">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=21.2.4&new-version=21.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
mergify bot pushed a commit to andrewbolster/bolster that referenced this issue Oct 12, 2021
Bumps [pip](https://github.com/pypa/pip) from 21.2.4 to 21.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>21.3 (2021-10-11)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>Improve deprecation warning regarding the copying of source trees when installing from a local directory. (<code>[#10128](pypa/pip#10128) &lt;https://github.com/pypa/pip/issues/10128&gt;</code>_)</li>
<li>Suppress location mismatch warnings when pip is invoked from a Python source
tree, so <code>ensurepip</code> does not emit warnings on CPython <code>make install</code>. (<code>[#10270](pypa/pip#10270) &lt;https://github.com/pypa/pip/issues/10270&gt;</code>_)</li>
<li>On Python 3.10 or later, the installation scheme backend has been changed to use
<code>sysconfig</code>. This is to anticipate the deprecation of <code>distutils</code> in Python
3.10, and its scheduled removal in 3.12. For compatibility considerations, pip
installations running on Python 3.9 or lower will continue to use <code>distutils</code>. (<code>[#10358](pypa/pip#10358) &lt;https://github.com/pypa/pip/issues/10358&gt;</code>_)</li>
<li>Remove the <code>--build-dir</code> option and aliases, one last time. (<code>[#10485](pypa/pip#10485) &lt;https://github.com/pypa/pip/issues/10485&gt;</code>_)</li>
<li>In-tree builds are now the default. <code>--use-feature=in-tree-build</code> is now
ignored. <code>--use-deprecated=out-of-tree-build</code> may be used temporarily to ease
the transition. (<code>[#10495](pypa/pip#10495) &lt;https://github.com/pypa/pip/issues/10495&gt;</code>_)</li>
<li>Un-deprecate source distribution re-installation behaviour. (<code>[#8711](pypa/pip#8711) &lt;https://github.com/pypa/pip/issues/8711&gt;</code>_)</li>
</ul>
<h2>Features</h2>
<ul>
<li>Replace vendored appdirs with platformdirs. (<code>[#10202](pypa/pip#10202) &lt;https://github.com/pypa/pip/issues/10202&gt;</code>_)</li>
<li>Support <code>PEP 610 &lt;https://www.python.org/dev/peps/pep-0610/&gt;</code>_ to detect
editable installs in <code>pip freeze</code> and  <code>pip list</code>. The <code>pip list</code> column output
has a new <code>Editable project location</code> column, and the JSON output has a new
<code>editable_project_location</code> field. (<code>[#10249](pypa/pip#10249) &lt;https://github.com/pypa/pip/issues/10249&gt;</code>_)</li>
<li><code>pip freeze</code> will now always fallback to reporting the editable project
location when it encounters a VCS error while analyzing an editable
requirement. Before, it sometimes reported the requirement as non-editable. (<code>[#10410](pypa/pip#10410) &lt;https://github.com/pypa/pip/issues/10410&gt;</code>_)</li>
<li><code>pip show</code> now sorts <code>Requires</code> and <code>Required-By</code> alphabetically. (<code>[#10422](pypa/pip#10422) &lt;https://github.com/pypa/pip/issues/10422&gt;</code>_)</li>
<li>Do not raise error when there are no files to remove with <code>pip cache purge/remove</code>.
Instead log a warning and continue (to log that we removed 0 files). (<code>[#10459](pypa/pip#10459) &lt;https://github.com/pypa/pip/issues/10459&gt;</code>_)</li>
<li>When backtracking during dependency resolution, prefer the dependencies which are involved in the most recent conflict. This can significantly reduce the amount of backtracking required. (<code>[#10479](pypa/pip#10479) &lt;https://github.com/pypa/pip/issues/10479&gt;</code>_)</li>
<li>Cache requirement objects, to improve performance reducing reparses of requirement strings. (<code>[#10550](pypa/pip#10550) &lt;https://github.com/pypa/pip/issues/10550&gt;</code>_)</li>
<li>Support editable installs for projects that have a <code>pyproject.toml</code> and use a
build backend that supports :pep:<code>660</code>. (<code>[#8212](pypa/pip#8212) &lt;https://github.com/pypa/pip/issues/8212&gt;</code>_)</li>
<li>When a revision is specified in a Git URL, use git's partial clone feature to speed up source retrieval. (<code>[#9086](pypa/pip#9086) &lt;https://github.com/pypa/pip/issues/9086&gt;</code>_)</li>
<li>Add a <code>--debug</code> flag, to enable a mode that doesn't log errors and propagates them to the top level instead. This is primarily to aid with debugging pip's crashes. (<code>[#9349](pypa/pip#9349) &lt;https://github.com/pypa/pip/issues/9349&gt;</code>_)</li>
<li>If a host is explicitly specified as trusted by the user (via the --trusted-host option), cache HTTP responses from it in addition to HTTPS ones. (<code>[#9498](pypa/pip#9498) &lt;https://github.com/pypa/pip/issues/9498&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Present a better error message, when a <code>file:</code> URL is not found. (<code>[#10263](pypa/pip#10263) &lt;https://github.com/pypa/pip/issues/10263&gt;</code>_)</li>
<li>Fix the auth credential cache to allow for the case in which
the index url contains the username, but the password comes
from an external source, such as keyring. (<code>[#10269](pypa/pip#10269) &lt;https://github.com/pypa/pip/issues/10269&gt;</code>_)</li>
<li>Fix double unescape of HTML <code>data-requires-python</code> and <code>data-yanked</code> attributes. (<code>[#10378](pypa/pip#10378) &lt;https://github.com/pypa/pip/issues/10378&gt;</code>_)</li>
<li>New resolver: Fixes depth ordering of packages during resolution, e.g. a dependency 2 levels deep will be ordered before a dependecy 3 levels deep. (<code>[#10482](pypa/pip#10482) &lt;https://github.com/pypa/pip/issues/10482&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/abec8a701bfa66aa15fedf4c898011aa2d95f29e"><code>abec8a7</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/68a70486c9224f9d25be3cbf56c73d8a33c6a713"><code>68a7048</code></a> Update AUTHORS.txt</li>
<li><a href="https://github.com/pypa/pip/commit/9f18a403ca41f4e42fbb89d286b6571a099cb54b"><code>9f18a40</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10481">#10481</a> from notatallshaw/prefer_failures</li>
<li><a href="https://github.com/pypa/pip/commit/db496cbce518fa159476695db0cd4f1c1a8ab6f5"><code>db496cb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10563">#10563</a> from pradyunsg/shorter-timeout</li>
<li><a href="https://github.com/pypa/pip/commit/4fac2b90a5d200b46e7b576013bb25f4ebb3f937"><code>4fac2b9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10550">#10550</a> from jbylund/joe/cache_requirement_creation</li>
<li><a href="https://github.com/pypa/pip/commit/786957cf85a641d49b4cfcceef717ef229ac8238"><code>786957c</code></a> Use a shorter timeout, to ensure that this fails more often</li>
<li><a href="https://github.com/pypa/pip/commit/1e3c127d4a938643aca1bbc25e6581493e316476"><code>1e3c127</code></a> Avoid passing <code>.</code> to vendoring</li>
<li><a href="https://github.com/pypa/pip/commit/610424f9f8ad1f99d0a48bf9a53e7a9df4242304"><code>610424f</code></a> Quote &quot;PreferenceInformation&quot; to avoid runtime NameError</li>
<li><a href="https://github.com/pypa/pip/commit/c01b5c6d8a4858cf733408b4b020933f902dda9e"><code>c01b5c6</code></a> Update a test for resolvelib 0.8.0</li>
<li><a href="https://github.com/pypa/pip/commit/394a24eb1a5f9af5da7d4d2452ed5fe952de5db2"><code>394a24e</code></a> Upgrade resolvelib to 0.8.0</li>
<li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/21.2.4...21.3">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=21.2.4&new-version=21.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type: feature request Request for a new feature
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants