Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication prioritize .netrc credentials over ones from url. #10979

Open
1 task done
kramarz opened this issue Mar 22, 2022 · 9 comments · Fixed by #10998
Open
1 task done

Authentication prioritize .netrc credentials over ones from url. #10979

kramarz opened this issue Mar 22, 2022 · 9 comments · Fixed by #10998
Labels
C: network connectivity state: awaiting PR Feature discussed, PR is needed type: bug A confirmed bug or unintended behavior

Comments

@kramarz
Copy link

kramarz commented Mar 22, 2022

Description

I have private repository in Google Artifacts Registry.
I am able to install a package using following command without the issue:

pip install simple-package -i "https://oauth2accesstoken:$(gcloud auth print-access-token)@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple"

Once I create .netrc file with another token (for example an invalid one) and run the command again pip is able to find tar.gz link using credentials from url, but it uses ~/.netrc credentials to download it (in this example since token is invalid it fails).

Anonymized -vvv output of installation attempt is in Output section.

Expected behavior

Credentials in url should be preffered over .netrc ones.

pip version

22.0.4

Python version

3.7.1

OS

Linux

How to Reproduce

  1. Create repository with required authentication and add package into it
  2. Run pip install --no-input --no-cache-dir --index-url "https://mylogin:[email protected] my-package
  3. Watch it installs successfully.
  4. Uninstall the package pip uninstall my-package
  5. Create ~/.netrc file with following content: `machine repo.url login mylogin password fakepassword
  6. Run pip install --no-input --no-cache-dir --index-url "https://mylogin:[email protected] my-package and see it fails

Output

$ pip install  simple-package --no-input -vvv -i "https://oauth2accesstoken:$(gcloud auth print-access-token)@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple"
Using pip 22.0.4 from $HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip (python 3.7)
Non-user install because user site-packages disabled
Created temporary directory: /tmp/pip-ephem-wheel-cache-qpruibfz
Created temporary directory: /tmp/pip-req-tracker-4_0o7qbx
Initialized build tracking at /tmp/pip-req-tracker-4_0o7qbx
Created build tracker: /tmp/pip-req-tracker-4_0o7qbx
Entered build tracker: /tmp/pip-req-tracker-4_0o7qbx
Created temporary directory: /tmp/pip-install-yd20cgdf
Looking in indexes: https://oauth2accesstoken:****@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple
1 location(s) to search for versions of simple-package:
* https://oauth2accesstoken:****@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/
Fetching project page and analyzing links: https://oauth2accesstoken:****@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/
Getting page https://oauth2accesstoken:****@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/
Found credentials in url for us-python.pkg.dev
Looking up "https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/" in the cache
Request header has "max_age" as 0, cache bypassed
Starting new HTTPS connection (1): us-python.pkg.dev:443
https://us-python.pkg.dev:443 "GET /$PROJECT/my-pypi-repo/simple/simple-package/ HTTP/1.1" 200 242
Updating cache with response from "https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/"
  Found link https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz (from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/), version: 0.1
Skipping link: not a file: https://oauth2accesstoken:****@us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/
Given no hashes to check 1 links for project 'simple-package': discarding no candidates
Collecting simple_package
  Created temporary directory: /tmp/pip-unpack-h_1_vpv2
  Found credentials in netrc for us-python.pkg.dev
  Looking up "https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz" in the cache
  No cache entry available
  https://us-python.pkg.dev:443 "GET /$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz HTTP/1.1" 401 60
  ERROR: HTTP error 401 while getting https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz (from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/)
ERROR: Could not install requirement simple_package from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz because of HTTP error 401 Client Error: Unauthorized for url: https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz for URL https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz (from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/)
Exception information:
Traceback (most recent call last):
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/operations/prepare.py", line 538, in _prepare_linked_requirement
    hashes,
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/operations/prepare.py", line 218, in unpack_url
    hashes=hashes,
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/operations/prepare.py", line 94, in get_http_url
    from_path, content_type = download(link, temp_dir.path)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/network/download.py", line 133, in __call__
    resp = _http_get_download(self._session, link)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/network/download.py", line 117, in _http_get_download
    raise_for_status(resp)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/network/utils.py", line 54, in raise_for_status
    raise NetworkConnectionError(http_error_msg, response=resp)
pip._internal.exceptions.NetworkConnectionError: 401 Client Error: Unauthorized for url: https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/cli/base_command.py", line 167, in exc_logging_wrapper
    status = run_func(*args)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/cli/req_command.py", line 205, in wrapper
    return func(self, options, args)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/commands/install.py", line 340, in run
    reqs, check_supported_wheels=not options.target_dir
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 95, in resolve
    collected.requirements, max_rounds=try_to_avoid_resolution_too_deep
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_vendor/resolvelib/resolvers.py", line 481, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_vendor/resolvelib/resolvers.py", line 348, in resolve
    self._add_to_criteria(self.state.criteria, r, parent=None)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_vendor/resolvelib/resolvers.py", line 172, in _add_to_criteria
    if not criterion.candidates:
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_vendor/resolvelib/structs.py", line 151, in __bool__
    return bool(self._sequence)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/found_candidates.py", line 155, in __bool__
    return any(self)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/found_candidates.py", line 143, in <genexpr>
    return (c for c in iterator if id(c) not in self._incompatible_ids)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/found_candidates.py", line 47, in _iter_built
    candidate = func()
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 220, in _make_candidate_from_link
    version=version,
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 294, in __init__
    version=version,
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 158, in __init__
    self.dist = self._prepare()
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 227, in _prepare
    dist = self._prepare_distribution()
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 299, in _prepare_distribution
    return preparer.prepare_linked_requirement(self._ireq, parallel_builds=True)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/operations/prepare.py", line 487, in prepare_linked_requirement
    return self._prepare_linked_requirement(req, parallel_builds)
  File "$HOME/.pyenv/versions/3.7.1/envs/workspace3.9/lib/python3.7/site-packages/pip/_internal/operations/prepare.py", line 543, in _prepare_linked_requirement
    "error {} for URL {}".format(req, exc, link)
pip._internal.exceptions.InstallationError: Could not install requirement simple_package from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz because of HTTP error 401 Client Error: Unauthorized for url: https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz for URL https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz (from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/)
Removed build tracker: '/tmp/pip-req-tracker-4_0o7qbx'

Code of Conduct

@kramarz kramarz added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Mar 22, 2022
@notatallshaw
Copy link
Member

Are you sure this is a Pip issue and not a requests issue? What behavior does requests have for the same thing?

Mostly Pip is just delegating to requests on how to handle this.

@pradyunsg pradyunsg added resolution: not a bug Determined as not a bug in pip and removed type: bug A confirmed bug or unintended behavior S: needs triage Issues/PRs that need to be triaged labels Mar 22, 2022
@pradyunsg
Copy link
Member

pip._internal.exceptions.NetworkConnectionError: 401 Client Error: Unauthorized for url: https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz

This is the error: Your server is giving you a 401 Client Error on this. You'll have to investigate what that is.

I'll bundle improving this error message into #10421.

@notatallshaw
Copy link
Member

notatallshaw commented Mar 22, 2022

@pradyunsg I think you are misunderstanding the issue reported here.

The credentials are wrong because they are the ones read out of the .netrc file not the ones read out of the URL.

But I believe this behavior comes from requests not pip. And as such there are two things I can suggest:

  1. Improve the specificity of the netrc file to only the hosts which require the credentials
  2. Set the NETRC env variable to /dev/null or a separate NETRC file with the correct credentials when running pip commands, assuming you are using pip that has vendored requests 2.25.0 or higher

(I see a similar issue quite a lot in my corporate environment)

@pradyunsg
Copy link
Member

Indeed, and thanks for catching that @notatallshaw! :)

@pradyunsg pradyunsg added S: needs triage Issues/PRs that need to be triaged and removed resolution: not a bug Determined as not a bug in pip labels Mar 22, 2022
@pradyunsg pradyunsg reopened this Mar 22, 2022
@kramarz
Copy link
Author

kramarz commented Mar 24, 2022

I have deliberately put an incorrect password in .netrc file to trigger a 401 error to illustrate that netrc credentials are used instead of ones in url.

Thank you for providing workarounds, but the issue appears in environment where netrc is generated automatically if user don't provide one and user does not have control over env, so they need to remember to generate .netrc to use desired token instead of generating requirements.txt file.
Workaround exists, but it would be appreciated if pip behaves as documented: https://pip.pypa.io/en/latest/topics/authentication/#netrc-support

You can see in the output of the command there are 2 requests:

Starting new HTTPS connection (1): us-python.pkg.dev:443
https://us-python.pkg.dev:443 "GET /$PROJECT/my-pypi-repo/simple/simple-package/ HTTP/1.1" 200 242

and

https://us-python.pkg.dev:443 "GET /$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz HTTP/1.1" 401 60
  ERROR: HTTP error 401 while getting https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple-package/simple_package-0.1.tar.gz (from https://us-python.pkg.dev/$PROJECT/my-pypi-repo/simple/simple-package/)

As you see the first one was successful which means it used credentials from url correctly, while the second one failed so it used netrc ones. This shows that pip is sending these requests in different ways, hence I believe it is pip and not requests issue.

@pradyunsg
Copy link
Member

Are there any other tools that override explicitly provided credentials with netrc credentials?

@notatallshaw
Copy link
Member

notatallshaw commented Mar 24, 2022

As you see the first one was successful which means it used credentials from url correctly, while the second one failed so it used netrc ones. This shows that pip is sending these requests in different ways, hence I believe it is pip and not requests issue.

You could be correct but I'm not sure based on the information you've provided so far, is still seems speculative.

Poking around in Pips code for netrc I could only find 1 location that is a possible culprit: _get_new_credentials (which is called by _get_url_and_credentials which is called by __call__ which is used to establish auth for a network session): https://github.com/pypa/pip/blob/22.0.4/src/pip/_internal/network/auth.py#L109

But _get_new_credentials gets the credentials in the order you would expect, url scheme is first and netrc is much later.

@pradyunsg
Copy link
Member

OK, I just re-read this issue and... I completely misread this the last two times. Sincere apologies to @kramarz and @notatallshaw.

This is definitely a bug at some point in our network authentication handling code.

@pradyunsg pradyunsg added type: bug A confirmed bug or unintended behavior state: awaiting PR Feature discussed, PR is needed C: network connectivity and removed S: needs triage Issues/PRs that need to be triaged labels Mar 24, 2022
@q0w
Copy link
Contributor

q0w commented May 6, 2022

Test in #10998 fails with plain url and netrc credentials?

---url = f"https://USERNAME:PASSWORD@{server.host}:{server.port}/simple"
+++url = f"https://{server.host}:{server.port}/simple"
...
---f"machine {server.host} login wrongusername password wrongpassword"
+++f"machine {server.host} login USERNAME password PASSWORD"

but works with reverted #10998 changes for RFC7617

---"simple-3.0.tar.gz": "/files/simple-3.0.tar.gz",
+++"simple-3.0.tar.gz": "/simple/files/simple-3.0.tar.gz",

@pradyunsg pradyunsg reopened this May 22, 2022
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue May 31, 2022
Bumps [pip](https://github.com/pypa/pip) from 22.1.1 to 22.1.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>22.1.2 (2022-05-31)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Revert <code>[#10979](pypa/pip#10979) &lt;https://github.com/pypa/pip/issues/10979&gt;</code>_ since it introduced a regression in certain edge cases. (<code>[#10979](pypa/pip#10979) &lt;https://github.com/pypa/pip/issues/10979&gt;</code>_)</li>
<li>Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. (<code>[#11136](pypa/pip#11136) &lt;https://github.com/pypa/pip/issues/11136&gt;</code>_)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/5f12c59f69656cf682cbd20cc1eee880578bce88"><code>5f12c59</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/70c9b36582554e9a306429f1c29cca5c47d7d41c"><code>70c9b36</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11134">#11134</a> from q0w/revert-10998-handle-netrc</li>
<li><a href="https://github.com/pypa/pip/commit/0799ceac4c69cd4787ffed48b0afcfae93afe3f1"><code>0799cea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11136">#11136</a> from pradyunsg/fix-upgrade-prompt</li>
<li>See full diff in <a href="https://github.com/pypa/pip/compare/22.1.1...22.1.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1.1&new-version=22.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
inmantaci pushed a commit to inmanta/inmanta-core that referenced this issue Jun 1, 2022
Bumps [pip](https://github.com/pypa/pip) from 22.1.1 to 22.1.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p>
<blockquote>
<h1>22.1.2 (2022-05-31)</h1>
<h2>Bug Fixes</h2>
<ul>
<li>Revert <code>[#10979](pypa/pip#10979) &lt;https://github.com/pypa/pip/issues/10979&gt;</code>_ since it introduced a regression in certain edge cases. (<code>[#10979](pypa/pip#10979) &lt;https://github.com/pypa/pip/issues/10979&gt;</code>_)</li>
<li>Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. (<code>[#11136](pypa/pip#11136) &lt;https://github.com/pypa/pip/issues/11136&gt;</code>_)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/pypa/pip/commit/5f12c59f69656cf682cbd20cc1eee880578bce88"><code>5f12c59</code></a> Bump for release</li>
<li><a href="https://github.com/pypa/pip/commit/70c9b36582554e9a306429f1c29cca5c47d7d41c"><code>70c9b36</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11134">#11134</a> from q0w/revert-10998-handle-netrc</li>
<li><a href="https://github.com/pypa/pip/commit/0799ceac4c69cd4787ffed48b0afcfae93afe3f1"><code>0799cea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11136">#11136</a> from pradyunsg/fix-upgrade-prompt</li>
<li>See full diff in <a href="https://github.com/pypa/pip/compare/22.1.1...22.1.2">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1.1&new-version=22.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 7, 2022
22.1.2 (2022-05-31)
===================

Bug Fixes
---------
- Revert <pypa/pip#10979> since it introduced a regression in certain edge cases.
- Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented.


22.1.1 (2022-05-20)
===================

Bug Fixes
---------
- Properly filter out optional dependencies (i.e. extras) when checking build environment distributions.
- Change the build environment dependency checking to be opt-in.
- Allow using a pre-release version to satisfy a build requirement. This helps
  manually populated build environments to more accurately detect build-time
  requirement conflicts.


22.1 (2022-05-11)
=================

Process
-------
- Enable the ``importlib.metadata`` metadata implementation by default on
  Python 3.11 (or later). The environment variable ``_PIP_USE_IMPORTLIB_METADATA``
  can still be used to enable the implementation on 3.10 and earlier, or disable
  it on 3.11 (by setting it to ``0`` or ``false``).

Bug Fixes
---------
- Revert <pypa/pip#9243> since it introduced a regression in certain edge cases.
- Fix missing ``REQUESTED`` metadata when using URL constraints.
- ``pip config`` now normalizes names by converting underscores into dashes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: network connectivity state: awaiting PR Feature discussed, PR is needed type: bug A confirmed bug or unintended behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants