[3.10] gh-144538: Upgrade pip to 26.0.1 and setuptools to 80.10.2 (GH-144538)

[darklight3it]

Upgrade pip to 26.0.1 and setuptools to 80.10.2

Summary

Updated Python's ensurepip module to bundle the latest versions of pip and setuptools, addressing 5 security vulnerabilities (CVEs).

Package Versions

Package	Old Version	New Version
pip	23.0.1	26.0.1
setuptools	79.0.1	80.10.2

CVEs Fixed

CVE ID	Component	Severity	Link
CVE-2023-5752	pip	Medium	https://nvd.nist.gov/vuln/detail/CVE-2023-5752
CVE-2025-8869	pip	Moderate	https://ubuntu.com/security/CVE-2025-8869
CVE-2026-1703	pip	Not yet rated	https://nvd.nist.gov/vuln/detail/CVE-2026-1703
CVE-2024-23949	jaraco-context (setuptools)	High	https://ubuntu.com/security/CVE-2024-23949
CVE-2026-24049	wheel (setuptools)	High	https://www.thehackerwire.com/vulnerability/CVE-2026-24049/

Verification

Checksums Verified ✅

• pip-26.0.1-py3-none-any.whl: bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b
• setuptools-80.10.2-py3-none-any.whl: 95b30ddfb717250edb492926c92b5221f7ef3fbcc2b07579bcd4a27da21d0173

Vendored Dependencies Verified ✅

• jaraco.context 6.1.0 in setuptools (fixes CVE-2024-23949)
• wheel 0.46.3 in setuptools (fixes CVE-2024-24049)

Testing

Build Test ✅

./configure --with-pydebug && make -j4

Build completed successfully.

ensurepip Version Check ✅

./python -m ensurepip --version

Output: pip 26.0.1 from .../Lib/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl/pip (python 3.10)

Virtual Environment Test ✅

./python -m venv test_venv
source test_venv/bin/activate
pip --version        # pip 26.0.1 ✅
setuptools --version # setuptools 80.10.2 ✅
pip install requests # Successfully installed ✅

Test Suite ✅

./python -m test test_ensurepip

Result: 30 tests passed, 0 failed (13.123s)

Patchcheck ✅

make patchcheck

All checks passed.

Compatibility

• Python Version: 3.10.19+ ✅
• pip 26.0.1 requires: Python >= 3.9 ✅
• setuptools 80.10.2 requires: Python >= 3.9 ✅
• PEP 706 Support: Yes (provides additional protection for CVE-2025-8869)

Breaking Changes

setuptools 80.0.0+

• Removed easy_install command
• Impact: None (ensurepip uses pip, not easy_install)

pip 26.0+

• Dropped Python 3.8 support
• Impact: None (this is Python 3.10.19)

Files Changed

• Lib/ensurepip/__init__.py - Updated version constants
• Lib/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl - New wheel
• Lib/ensurepip/_bundled/setuptools-80.10.2-py3-none-any.whl - New wheel
• Removed old wheels (pip-23.0.1, setuptools-79.0.1)
• Misc/NEWS.d/next/Library/2026-02-05-13-28-14.gh-issue-000000.d17905.rst - NEWS entry

References

• pip 26.0.1 on PyPI
• setuptools 80.10.2 on PyPI
• PEP 706 - Filter for tarfile.extractall

• Issue: Update bundled pip to 26.0.1 #144538

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[hugovk]

Thanks for the PR, but a pip maintainer is planning on doing this today, so let's close this. We also normally make changes to main and then backport as needed.