A Python project root is now defined as containing a pyproject.toml, or
a setup.py (pre-PEP-517 legacy layout). After this patch, this logic
applies to all checks except parse_editable, where we check for setup.py
and setup.cfg instead since non-setuptools PEP 517 projects cannot be
installed as editable right now.
Pip dropped support for `git+ssh@` style requirements (see #7554)
in favour of `git+ssh://` but didn't propagate the change to
`pip freeze` which resultantly returns invalid requirements.
Fix this behaviour.
Fixes#9625.
Previously, maliciously formatted tags could be used to hijack a
commit-based pin. Using the fact that the split here allowed for
all of unicode's whitespace characters as separators -- which git allows
as a part of a tag name -- it is possible to force a different revision
to be installed; if an attacker gains access to the repository.
This change stops splitting the string on unicode characters, by forcing
the splits to happen on newlines and ASCII spaces.
The typing module has been available since Python 3.5. Guarding the
import has been unnecessary since dropping Python 2.
Some guards remain to either:
- Avoid circular imports
- Importing objects that are also guarded by typing.TYPE_CHECKING
- Avoid mypy_extensions dependency
The stdlib module has been available since Python 3.5 and the
TYPE_CHECKING constant has been available since 3.5.2.
By using stdlib, this removes the need for pip to maintain its own
Python 2 typing compatibility shim.
Previously, the Subversion subclass violated the parent's type signature
by returning an int, but it is now coerced to a str to match the
expected signature.
Use pyupgrade to convert simple string formatting to use f-string
syntax. pyupgrade is intentionally timid and will not create an f-string
if it would make the expression longer or if the substitution parameters
are anything but simple names or dotted names.
In the base class, the signature is defined as:
type: (str) -> str
Further, the docstring says:
Raises RemoteNotFoundError if the repository does not have a remote
url configured.
However, some subclasses were returning None instead of raising
RemoteNotFoundError. This violated the type signature and forced calling
code to handle multiple error paradigms.
Now, all subclasses implement the base's signature.
This allowed simplifying some call sites as they can assume None will
not be returned.
This mismatch was noticed while trying to remove "mypy:
disallow-untyped-defs=False" comments.
- Reverted behaviour of `Git.controls_location()` and `Mercurial.controls_location()` to call the vcs command if the base `VersionControl.controls_location()` doesn't detect the vcs directory.
- Added `log_failed_cmd` argument `VcsSupport.run_command()` to allow vcs commands to be tried without logging errors if they aren't present.
- Corrected indentation.
- Removed `expect_stderr=True` in `test_freeze_mercurial_clone_srcdir` as its not required.