What's new in pip 26.1: lockfiles, dependency cooldowns, and security fixes
Summary
Pip 26.1 introduces experimental lockfile support via pylock.toml, adds dependency cooldowns to slow the impact of compromised packages, and lifts several 2020 resolver limitations. It also drops Python 3.9 support and includes security fixes (tar vs zip handling, self-check deferral, and urllib3 upgrade), while warning that these features are experimental and not production-ready.