Update dependency pip to v26.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
pip (changelog)	minor	==26.0 → ==26.1

---

pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

CVE-2026-3219 / GHSA-58qw-9mgm-455v

More information

Details

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-3219
• https://github.com/pypa/pip/pull/13870
• https://github.com/pypa/pip
• https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ
• http://www.openwall.com/lists/oss-security/2026/04/20/8

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pypa/pip (pip)

v26.1

Compare Source

v26.0.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.