chore(deps): update dependency pip to v26.1 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
pip (changelog)	==26.0.1 → ==26.1

---

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

CVE-2026-6357 / GHSA-jp4c-xjxw-mgf9

More information

Details

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6357
• https://github.com/pypa/pip/pull/13923
• https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes
• http://www.openwall.com/lists/oss-security/2026/04/27/7
• https://github.com/pypa/pip/commit/b369bfc96cc524e00c267e1693290e6599c36bad
• https://github.com/advisories/GHSA-jp4c-xjxw-mgf9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pypa/pip (pip)

v26.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun