Skip yanked releases unless specified

2023-12-13 21:30:23 +01:00 · 2021-10-30 11:40:40 +02:00 · 2021-10-30 11:40:40 +02:00 · 6b62c28060
parent c99e91224c
commit 6b62c28060
2 changed files with 7 additions and 4 deletions
--- a/news/10617.bugfix.rst
+++ b/news/10617.bugfix.rst
@ -0,0 +1,2 @@
+Prevent pip from installing yanked releases unless
+explicitely required via the `==` or `===` operators.
--- a/src/pip/_internal/resolution/resolvelib/factory.py
+++ b/src/pip/_internal/resolution/resolvelib/factory.py
@ -273,14 +273,15 @@ class Factory:
            )
            icans = list(result.iter_applicable())

-            # PEP 592: Yanked releases must be ignored unless only yanked
-            # releases can satisfy the version range. So if this is false,
-            # all yanked icans need to be skipped.
+            # PEP 592: Yanked releases are ignored unless the specifier
+            # explicitely requests a version ('==' or '===') that can be
+            # solely satisfied by a yanked release.
            all_yanked = all(ican.link.is_yanked for ican in icans)
+            direct_specifier = any({'==' in sp.operator for sp in specifier})

            # PackageFinder returns earlier versions first, so we reverse.
            for ican in reversed(icans):
-                if not all_yanked and ican.link.is_yanked:
+                if (all_yanked and not direct_specifier) and ican.link.is_yanked:
                    continue
                func = functools.partial(
                    self._make_candidate_from_link,