From f48869bfe3c3bb95f2c3749d1bea9825939036e5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Oct 2025 11:25:15 +0000
Subject: [PATCH] Bump pip from 25.2 to 25.3 (#11720)

Bumps [pip](https://github.com/pypa/pip) from 25.2 to 25.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's
changelog</a>.</em></p>
<blockquote>
<h1>25.3 (2025-10-24)</h1>
<h2>Deprecations and Removals</h2>
<ul>
<li>
<p>Remove support for the legacy <code>setup.py develop</code> editable
method in setuptools
editable installs; setuptools &gt;= 64 is now required.
(<code>[#11457](https://github.com/pypa/pip/issues/11457)
&lt;https://github.com/pypa/pip/issues/11457&gt;</code>_)</p>
</li>
<li>
<p>Remove the deprecated <code>--global-option</code> and
<code>--build-option</code>.
<code>--config-setting</code> is now the only way to pass options to the
build backend. (<code>[#11859](https://github.com/pypa/pip/issues/11859)
&lt;https://github.com/pypa/pip/issues/11859&gt;</code>_)</p>
</li>
<li>
<p>Deprecate the <code>PIP_CONSTRAINT</code> environment variable for
specifying build
constraints.</p>
<p>Use the <code>--build-constraint</code> option or the
<code>PIP_BUILD_CONSTRAINT</code> environment variable
instead. When build constraints are used, <code>PIP_CONSTRAINT</code> no
longer affects isolated build
environments. To enable this behavior without specifying any build
constraints, use
<code>--use-feature=build-constraint</code>.
(<code>[#13534](https://github.com/pypa/pip/issues/13534)
&lt;https://github.com/pypa/pip/issues/13534&gt;</code>_)</p>
</li>
<li>
<p>Remove support for non-standard legacy wheel filenames.
(<code>[#13581](https://github.com/pypa/pip/issues/13581)
&lt;https://github.com/pypa/pip/issues/13581&gt;</code>_)</p>
</li>
<li>
<p>Remove support for the deprecated <code>setup.py bdist_wheel</code>
mechanism. Consequently,
<code>--use-pep517</code> is now always on, and
<code>--no-use-pep517</code> has been removed.
(<code>[#6334](https://github.com/pypa/pip/issues/6334)
&lt;https://github.com/pypa/pip/issues/6334&gt;</code>_)</p>
</li>
</ul>
<h2>Features</h2>
<ul>
<li>When :pep:<code>658</code> metadata is available, full distribution
files are no longer downloaded when using <code>pip lock</code> or
<code>pip install --dry-run</code>.
(<code>[#12603](https://github.com/pypa/pip/issues/12603)
&lt;https://github.com/pypa/pip/issues/12603&gt;</code>_)</li>
<li>Add support for installing an editable requirement written as a
Direct URL (<code>PackageName @ URL</code>).
(<code>[#13495](https://github.com/pypa/pip/issues/13495)
&lt;https://github.com/pypa/pip/issues/13495&gt;</code>_)</li>
<li>Add support for build constraints via the
<code>--build-constraint</code> option. This
allows constraining the versions of packages used during the build
process
(e.g., setuptools) without affecting the final installation.
(<code>[#13534](https://github.com/pypa/pip/issues/13534)
&lt;https://github.com/pypa/pip/issues/13534&gt;</code>_)</li>
<li>On <code>ResolutionImpossible</code> errors, include a note about
causes with no candidates.
(<code>[#13588](https://github.com/pypa/pip/issues/13588)
&lt;https://github.com/pypa/pip/issues/13588&gt;</code>_)</li>
<li>Building pip itself from source now uses flit-core instead of
setuptools.
This does not affect how pip installs or builds packages you use.
(<code>[#13473](https://github.com/pypa/pip/issues/13473)
&lt;https://github.com/pypa/pip/issues/13473&gt;</code>_)</li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>Handle malformed <code>Version</code> metadata entries and
show a sensible error message instead of crashing.
(<code>[#13443](https://github.com/pypa/pip/issues/13443)
&lt;https://github.com/pypa/pip/issues/13443&gt;</code>_)</li>
<li>Permit spaces between a filepath and extras in an install
requirement. (<code>[#13523](https://github.com/pypa/pip/issues/13523)
&lt;https://github.com/pypa/pip/issues/13523&gt;</code>_)</li>
<li>Ensure the self-check files in the cache have the same permissions
as the rest of the cache.
(<code>[#13528](https://github.com/pypa/pip/issues/13528)
&lt;https://github.com/pypa/pip/issues/13528&gt;</code>_)</li>
<li>Avoid concurrency issues and improve performance when caching
locally built wheels,
especially when the temporary build directory is on a different
filesystem than the cache.
The wheel directory passed to the build backend is now a temporary
subdirectory inside
the cache directory.
(<code>[#13540](https://github.com/pypa/pip/issues/13540)
&lt;https://github.com/pypa/pip/issues/13540&gt;</code>_)</li>
<li>Include relevant user-supplied constraints in logs when reporting
dependency conflicts.
(<code>[#13545](https://github.com/pypa/pip/issues/13545)
&lt;https://github.com/pypa/pip/issues/13545&gt;</code>_)</li>
<li>Fix a regression in configuration parsing that was turning a single
value
into a list and thus leading to a validation error.
(<code>[#13548](https://github.com/pypa/pip/issues/13548)
&lt;https://github.com/pypa/pip/issues/13548&gt;</code>_)</li>
<li>For Python versions that do not support :pep:<code>706</code>, pip
will now raise an installation error for a
source distribution when it includes a symlink that points outside the
source distribution archive.
(<code>[#13550](https://github.com/pypa/pip/issues/13550)
&lt;https://github.com/pypa/pip/issues/13550&gt;</code>_)</li>
<li>Prevent <code>--user</code> installs if
<code>site.ENABLE_USER_SITE</code> is set to <code>False</code>.
(<code>[#8794](https://github.com/pypa/pip/issues/8794)
&lt;https://github.com/pypa/pip/issues/8794&gt;</code>_)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/pip/commit/a52069365063ea813fe3a3f8bac90397c9426d35"><code>a520693</code></a>
Bump for release</li>
<li><a
href="https://github.com/pypa/pip/commit/0f2973eded07de7fcfe90d494763821172bc2c5f"><code>0f2973e</code></a>
Fix up authors by adding entry to <code>.mailmap</code></li>
<li><a
href="https://github.com/pypa/pip/commit/87828dc11b18b657d95fed4dc4ed996ba032e4f8"><code>87828dc</code></a>
Update AUTHORS.txt</li>
<li><a
href="https://github.com/pypa/pip/commit/ce6a38ce06886f1f711226600a5b002df1b70453"><code>ce6a38c</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/13628">#13628</a> from
sbidoul/imp-doc-pep517-sbi</li>
<li><a
href="https://github.com/pypa/pip/commit/ee16c815eb52190a3ffa6d9e19e7dac78a0a0c3e"><code>ee16c81</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/13629">#13629</a> from
notatallshaw/bump-gone_in=&quot;25.3&quot;</li>
<li><a
href="https://github.com/pypa/pip/commit/3e227aafbfe5c464ce9f2fb72c446e29692ea6c2"><code>3e227aa</code></a>
Bump gone_in=&quot;25.3&quot;</li>
<li><a
href="https://github.com/pypa/pip/commit/4ad18287837da0bc52feb8dce03f604809395e3b"><code>4ad1828</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/13495">#13495</a> from
ichard26/feat/direct-editables</li>
<li><a
href="https://github.com/pypa/pip/commit/66ded3b043ae3e25d761ee092c1add0d98c9e4bf"><code>66ded3b</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/13570">#13570</a> from
ShubhamNagure/fix-constraint-reporting-13545</li>
<li><a
href="https://github.com/pypa/pip/commit/67e8ac2fc9002bfec8d371ecbe1a8813c64b68e9"><code>67e8ac2</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/13588">#13588</a> from
notatallshaw/hint-on-resolution-impossible-whe...</li>
<li><a
href="https://github.com/pypa/pip/commit/990ca8a45149ea8980bd82699471fbabeeeec18c"><code>990ca8a</code></a>
Merge pull request <a
href="https://redirect.github.com/pypa/pip/issues/8796">#8796</a> from
pelson/honour_user_site</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/pip/compare/25.2...25.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=25.2&new-version=25.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements/constraints.txt | 2 +-
 requirements/dev.txt         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/constraints.txt b/requirements/constraints.txt
index 082dc87bba7..77483742779 100644
--- a/requirements/constraints.txt
+++ b/requirements/constraints.txt
@@ -286,7 +286,7 @@ zlib-ng==1.0.0
     #   -r requirements/test-common.in
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==25.2
+pip==25.3
     # via pip-tools
 setuptools==80.9.0
     # via pip-tools
diff --git a/requirements/dev.txt b/requirements/dev.txt
index bc26cacbea1..b769c365454 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -276,7 +276,7 @@ zlib-ng==1.0.0
     #   -r requirements/test-common.in
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==25.2
+pip==25.3
     # via pip-tools
 setuptools==80.9.0
     # via pip-tools