Update bundled pip to 26.1 to fix CVE-2026-3219 vulnerability

[vstinner]

Feature or enhancement

Python 3.15 ensurepip bundles pip 26.0.1 which has CVE-2026-3219 vulnerability:

A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an attacker to influence the installation process by providing a specially crafted archive.

See security-announce email.

Would it be possible update pip to 26.1 in ensurepip?

See issue gh-144538 for the previous pip update.

Linked PRs

• gh-149148: Upgrade bundled pip to 26.1 #149150
• [3.14] gh-149148: Upgrade bundled pip to 26.1 (GH-149150) #149154
• [3.13] gh-149148: Upgrade bundled pip to 26.1 (GH-149150) #149155

[hugovk]

Yes, it's the last step of the pip release process, and usually happens once they're confident the release went out smoothly and didn't need a patch release.

pip RM (for this release) @sbidoul will be doing it: pypa/pip#13795 (comment), we can use this issue for the PR.

[sbidoul]

Does it work for you if I do that this weekend?

[vstinner]

Yes, it's the last step of the pip release process, and usually happens once they're confident the release went out smoothly and didn't need a patch release.

Ok, good!

pip RM (for this release) @sbidoul will be doing it: pypa/pip#13795 (comment), we can use this issue for the PR.

Oh, I already created PR gh-149150 before seeing your message. Feel free to close my PR if you prefer to create a new one.

[sbidoul]

Oh, I already created PR #149150

Ah, perfect then, thanks!