Announcement: pip 25.3 release!

notatallshaw · October 25, 2025, 2:23pm

On behalf of the PyPA, I am pleased to announce that the pip team has just released pip 25.3.

This is the fourth and final major release of pip for the year 2025. You can read more about our versioning, deprecation policy, and release process here.

Highlights

Removed non-PEP 517 package build support:
- --no-use-pep517 has been removed and pip will no longer call setup.py bdist_wheel.
- --global-option and --build-option have been removed, --config-setting is now the only way to pass options to the build backend.
Removed non-PEP 660 editable installs, so pip will no longer call setup.py develop, if you use editable installs with setuptools you must now use setuptools >= 64.
Added a new option, --build-constraint, which allows you to specify your build time constraints without affecting your install constraints. Using PIP_CONSTRAINT to specify build constraints is now deprecated, if you are using build constraints this way now you can preserve the same behavior by pointing PIP_CONSTRAINT and PIP_BUILD_CONSTRAINT to the same file.
When PEP 658 metadata is available from the remote index pip install --dry-run and pip lock will no longer download full distributions.
Support editable requirements as Direct URLs, e.g. pip install -e "pkgb @ file://$PWD/pkga".
Use a temporary directory in the wheel cache to build wheels, so the built wheel is always on the same filesystem as the wheel cache, and can be atomically moved into the cache.
Pip itself is now built with flit-core instead of setuptools.

Beyond this list, 25.3 contains additional bug fixes and smaller QoL improvements. Please consult our changelog for more information.

Release process

This release was built and published to PyPI using a GitHub workflow and a PyPI Trusted Publisher.

Thanks

As with all pip releases, a significant amount of the work was contributed by pip’s user community. Many thanks to all who have contributed, whether through code, documentation, issue reports and/or discussion. Your help keeps pip improving, and is hugely appreciated.

I would particularly like to thank @sbidoul, who got the removal of non-PEP 517 builds over the line, PEP 517 has been with us for over 10 years now, and non-PEP 517 builds have been deprecated for over 6 years. But the Python packaging ecosystem is huge and removing old flows takes a sustained and continual push by countless people to move to modern practices, thanks to anyone who has helped in any way.

I would further like to thank @ichard26, who, while not authoring as many PRs in this release significantly helped by providing invaluable code reviews.

Regards,
Damian

P.S. As with Richard and the last release, this is my first time as release manager. It’s a tricky task to make sure pip keeps moving forward but being careful and respectful that so many people depend on it.

hugovk · October 25, 2025, 3:31pm

Congratulations on your first release!

ichard26 · October 25, 2025, 3:59pm

I am sad to inform you all that I did not have the bandwidth to write up a release post to coincide with pip 25.3. You’ll have to read the changelog and potentially the GitHub issues for context if you’re curious.

stefanor · October 26, 2025, 12:27pm

FWIW, this release also fixed CVE-2025-8869 for older Python releases (via Add a function to check the security of symbolic links. by dkjsone · Pull Request #13550 · pypa/pip · GitHub).

(It’s helpful to include CVE references in release announcements - it lets us know that we have extra housekeeping work to do)

notatallshaw · October 26, 2025, 2:14pm

That CVE is better fixed by upgrading Python to >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12, as it is a specific instance of CVE-2007-4559.

So if you are not on an outdated version of Python you are not affected by that CVE.