From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Wed, 29 Apr 2026 14:53:55 +0000 (+0200)
Subject: [3.13] gh-149148: Upgrade bundled pip to 26.1 (GH-149150) (#149155)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d424d8847ac8f16d4ca70d63a723875315edb057;p=thirdparty%2FPython%2Fcpython.git

[3.13] gh-149148: Upgrade bundled pip to 26.1 (GH-149150) (#149155)

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---

diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
index 9f4e64bc78bd..651797214789 100644
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
@@ -10,7 +10,7 @@ from shutil import copy2
 
 
 __all__ = ["version", "bootstrap"]
-_PIP_VERSION = "26.0.1"
+_PIP_VERSION = "26.1"
 
 # Directory of system wheel packages. Some Linux distribution packaging
 # policies recommend against bundling dependencies. For example, Fedora
diff --git a/Lib/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl b/Lib/ensurepip/_bundled/pip-26.1-py3-none-any.whl
similarity index 73%
rename from Lib/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
rename to Lib/ensurepip/_bundled/pip-26.1-py3-none-any.whl
index 580d09a92042..b51afa14f7c0 100644
Binary files a/Lib/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl and b/Lib/ensurepip/_bundled/pip-26.1-py3-none-any.whl differ
diff --git a/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst b/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst
new file mode 100644
index 000000000000..06186773474f
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-29-14-33-42.gh-issue-149148.EaiYvk.rst
@@ -0,0 +1,2 @@
+:mod:`ensurepip`: Upgrade bundled pip to 26.1. This version fixes
+the :cve:`2026-3219` vulnerability. Patch by Victor Stinner.