chore(deps): update dependency pip to v26 [security] by renovate[bot] · Pull Request #524 · jhatler/janus

renovate · 2025-10-27T16:02:32Z

This PR contains the following updates:

Package	Change	Age	Confidence
pip (changelog)	`==24.1.2` → `==26.1`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

CVE-2025-8869 / GHSA-4xh5-x5gv-qwph

More information

Details

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Severity

CVSS Score: 5.9 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pip Path Traversal vulnerability

CVE-2026-1703 / GHSA-6vgw-5pg2-w6jp

More information

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

CVSS Score: 2.0 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

CVE-2026-3219 / GHSA-58qw-9mgm-455v

More information

Details

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Severity

CVSS Score: 4.6 / 10 (Medium)
Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

CVE-2026-6357 / GHSA-jp4c-xjxw-mgf9

More information

Details

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pypa/pip (pip)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codacy-production · 2026-04-27T21:23:50Z

Not up to standards ⛔

🔴 Issues 1 minor

Alerts:
⚠ 1 issue (≤ 0 issues of at least minor severity)

Results:
1 new issue

Category Results

CodeStyle 1 minor

View in Codacy

🟢 Metrics 0 duplication

Metric Results

Duplication 0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

renovate Bot requested a review from jhatler as a code owner October 27, 2025 16:02

renovate Bot changed the title ~~chore(deps): update dependency pip to v25 [security]~~ chore(deps): update dependency pip to v26 [security] Feb 2, 2026

renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch from 585a117 to 11edce6 Compare February 2, 2026 23:34

renovate Bot changed the title ~~chore(deps): update dependency pip to v26 [security]~~ chore(deps): update dependency pip to v26 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/pypi-pip-vulnerability branch March 27, 2026 01:33

renovate Bot changed the title ~~chore(deps): update dependency pip to v26 [security] - autoclosed~~ chore(deps): update dependency pip to v26 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch 2 times, most recently from 11edce6 to 55e7ddc Compare March 30, 2026 18:07

renovate Bot changed the title ~~chore(deps): update dependency pip to v26 [security]~~ chore(deps): update dependency pip to v26 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency pip to v26 [security] - autoclosed~~ chore(deps): update dependency pip to v26 [security] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch 2 times, most recently from 55e7ddc to d77b0ba Compare April 27, 2026 21:22

chore(deps): update dependency pip to v26 [security]

0c37ea3

renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch from d77b0ba to 0c37ea3 Compare May 6, 2026 21:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency pip to v26 [security]#524

chore(deps): update dependency pip to v26 [security]#524
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-pip-vulnerability

renovate Bot commented Oct 27, 2025 •

edited

Loading

Uh oh!

codacy-production Bot commented Apr 27, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

pip's fallback tar extraction doesn't check symbolic links point to extraction directory

Details

Severity

References

pip Path Traversal vulnerability

Details

Severity

References

pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

Details

Severity

References

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

Details

Severity

References

Release Notes

Configuration

Uh oh!

codacy-production Bot commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Not up to standards ⛔

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Oct 27, 2025 •

edited

Loading

codacy-production Bot commented Apr 27, 2026 •

edited

Loading