Pass --disable-pip-version-check from pip.list and pip.freeze (#68214) by dwoz · Pull Request #69431 · saltstack/salt

dwoz · 2026-06-12T00:35:54Z

What does this PR do?

Pass --disable-pip-version-check from pip.list and pip.freeze so the
pip CLI no longer does an outbound HTTPS round-trip to PyPI for its
"newer pip available?" self-check every time the pip.installed state
queries already-installed packages. On airgapped minions that self-check
blocks until the socket timeout (~20s per call), which the reporter
measured as a 21091 ms pip.installed duration on a minion configured
with index_url/trusted_host/PIP_INDEX_URL env vars.

What issues does this PR fix or reference?

Fixes #68214

Previous Behavior

pip.installed re-checks took ~20s on every state run on airgapped
minions because salt.modules.pip.list_() invoked pip list --format=json without --disable-pip-version-check, and pip then blocked
on its outbound version-check. pip.freeze had the same issue along the
list_freeze_parse fallback path used on older pip versions.

New Behavior

pip.list and pip.freeze both append --disable-pip-version-check to
the underlying pip command, so the listing stays local and
pip.installed re-checks return in milliseconds again. The flag has been
supported since pip 6.0, well before the existing 8.0.3 floor in
pip.freeze, so it is safe to append unconditionally.

Merge requirements satisfied?

Docs (no documented behavior change — just suppresses an outbound
call users never wanted from a pip.list operation)
Changelog (changelog/68214.fixed.md)
Tests written/updated (two new regression tests + 6 existing argv
assertions updated to include the new flag)

Commits signed with GPG?

No (matches recent base-branch commits — base branch is not requiring
signatures at this time)

The pip CLI does an outbound HTTPS round-trip to PyPI on every invocation of `pip list` and `pip freeze` to check whether a newer pip release is available. On airgapped minions that lookup blocks until the socket timeout (~20s), which is exactly what the `pip.installed` state hits when it calls `pip.list` to see whether the package is already installed. Pass `--disable-pip-version-check` from both `pip.list` (the modern JSON-format path) and `pip.freeze` (the fallback `list_freeze_parse` path) so the listing call stays local and `pip.installed` re-checks return in milliseconds again. Fixes saltstack#68214

CI surfaced three additional argv assertions in tests/pytests/unit/modules/ test_pip.py that were not updated in the original commit: * test_is_installed_true / test_is_installed_false — these go through pip.is_installed → pip.freeze, so the expected ``freeze`` argv now needs ``--disable-pip-version-check``. * test_when_upgrade_is_called_and_there_are_available_upgrades_it_should_ call_correct_command — this one was relying on accidental list-mutation aliasing through ``_get_pip_bin``'s shared ``return_value`` list: pip. upgrade()'s ``cmd`` and the ``cmd`` constructed inside pip.list_() were the same Python list object, so ``cmd.extend(["list", "--format=json"])`` inside list_() mutated upgrade's local cmd, and the assertion ended up matching the contaminated argv by coincidence. The new ``--disable-pip-version-check`` extend lengthened the contaminated argv and broke the coincidence. Switch to ``side_effect=all_new_commands`` (same pattern already used by test_when_list_upgrades_is_provided_a_user_it_should_be_passed_to_the_ version_command on the very next test) so each _get_pip_bin call returns a fresh list, and assert against the real ``pip install -U <pkg>`` argv pip.upgrade actually constructs.

dwoz requested a review from a team as a code owner June 12, 2026 00:35

dwoz added this to the Sulphur v3006.26 milestone Jun 12, 2026

dwoz added the test:full Run the full test suite label Jun 12, 2026

dwoz had a problem deploying to ci June 12, 2026 00:35 — with GitHub Actions Error

dwoz temporarily deployed to ci June 12, 2026 00:36 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 12, 2026 00:50 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 12, 2026 01:30 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 12, 2026 03:24 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 12, 2026 03:37 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 12, 2026 04:36 — with GitHub Actions Inactive

dwoz force-pushed the fix/issue-68214 branch from 03b1914 to dfa6b28 Compare June 14, 2026 02:07

dwoz temporarily deployed to ci June 14, 2026 02:07 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 14, 2026 02:48 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 14, 2026 03:12 — with GitHub Actions Inactive

Daniel A. Wozniak added 2 commits June 14, 2026 22:59

dwoz force-pushed the fix/issue-68214 branch from dfa6b28 to d77635c Compare June 15, 2026 06:00

dwoz temporarily deployed to ci June 15, 2026 06:00 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 15, 2026 06:15 — with GitHub Actions Inactive

dwoz temporarily deployed to ci June 15, 2026 08:48 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pass --disable-pip-version-check from pip.list and pip.freeze (#68214)#69431

Pass --disable-pip-version-check from pip.list and pip.freeze (#68214)#69431
dwoz wants to merge 2 commits into
saltstack:3006.xfrom
dwoz:fix/issue-68214

dwoz commented Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dwoz commented Jun 12, 2026

What does this PR do?

What issues does this PR fix or reference?

Previous Behavior

New Behavior

Merge requirements satisfied?

Commits signed with GPG?

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant