pypa · pradyunsg · Jan 24, 2022 · Oct 30, 2021 · Nov 6, 2021 · Nov 6, 2021
diff --git a/news/10617.bugfix.rst b/news/10617.bugfix.rst
@@ -0,0 +1,2 @@
+Prevent pip from installing yanked releases unless
+explicitely pinned via the ``==`` or ``===`` operators.
diff --git a/src/pip/_internal/resolution/resolvelib/factory.py b/src/pip/_internal/resolution/resolvelib/factory.py
@@ -273,14 +273,25 @@ def iter_index_candidate_infos() -> Iterator[IndexCandidateInfo]:
             )
             icans = list(result.iter_applicable())
 
-            # PEP 592: Yanked releases must be ignored unless only yanked
-            # releases can satisfy the version range. So if this is false,
-            # all yanked icans need to be skipped.
+            # PEP 592: Yanked releases are ignored unless the specifier
+            # explicitely pins a version (via '==' or '===') that can be
+            # solely satisfied by a yanked release.
             all_yanked = all(ican.link.is_yanked for ican in icans)
 
+            def is_pinned(specifier: SpecifierSet) -> bool:
+                for sp in specifier:
+                    if sp.operator == "===":
+                        return True
+                    if sp.operator != "==":
+                        continue
+                    if sp.version.endswith(".*"):
+                        continue
+                    return True
+                return False
+
             # PackageFinder returns earlier versions first, so we reverse.
             for ican in reversed(icans):
-                if not all_yanked and ican.link.is_yanked:
+                if (all_yanked and not is_pinned(specifier)) and ican.link.is_yanked:
-                if (all_yanked and not is_pinned(specifier)) and ican.link.is_yanked:
+                if not (all_yanked and is_pinned(specifier)) and ican.link.is_yanked:
     def _sort_key(self, candidate: InstallationCandidate) -> CandidateSortingKey: 
         """ 
         Function to pass as the `key` argument to a call to sorted() to sort 
         InstallationCandidates by preference. 
         Returns a tuple such that tuples sorting as greater using Python's 
         default comparison operator are more preferred. 
         The preference is as follows: 
         First and foremost, candidates with allowed (matching) hashes are 
         always preferred over candidates without matching hashes. This is 
         because e.g. if the only candidate with an allowed hash is yanked, 
         we still want to use that candidate. 
         Second, excepting hash considerations, candidates that have been 
         yanked (in the sense of PEP 592) are always less preferred than 
         candidates that haven't been yanked. Then: 
         If not finding wheels, they are sorted by version only. 
         If finding wheels, then the sort order is by version, then: 
           1. existing installs 
           2. wheels ordered via Wheel.support_index_min(self._supported_tags) 
           3. source archives 
         If prefer_binary was set, then all wheels are sorted above sources. 
         Note: it was considered to embed this logic into the Link 
               comparison operators, but then different sdist links 
               with the same version, would have to be considered equal 
         """ 
         valid_tags = self._supported_tags 
         support_num = len(valid_tags) 
         build_tag: BuildTag = () 
         binary_preference = 0 
         link = candidate.link 
         if link.is_wheel: 
             # can raise InvalidWheelFilename 
             wheel = Wheel(link.filename) 
             try: 
                 pri = -( 
                     wheel.find_most_preferred_tag( 
                         valid_tags, self._wheel_tag_preferences 
                     ) 
                 ) 
             except ValueError: 
                 raise UnsupportedWheel( 
                     "{} is not a supported wheel for this platform. It " 
                     "can't be sorted.".format(wheel.filename) 
                 ) 
             if self._prefer_binary: 
                 binary_preference = 1 
             if wheel.build_tag is not None: 
                 match = re.match(r"^(\d+)(.*)$", wheel.build_tag) 
                 build_tag_groups = match.groups() 
                 build_tag = (int(build_tag_groups[0]), build_tag_groups[1]) 
         else:  # sdist 
             pri = -(support_num) 
         has_allowed_hash = int(link.is_hash_allowed(self._hashes)) 
         yank_value = -1 * int(link.is_yanked)  # -1 for yanked. 
         return ( 
             has_allowed_hash, 
             yank_value, 
             binary_preference, 
             candidate.version, 
             pri, 
             build_tag, 
         ) 
-                if (all_yanked and not is_pinned(specifier)) and ican.link.is_yanked:
+                if not (all_yanked and is_pinned(specifier)) and ican.link.is_yanked:
     def _sort_key(self, candidate: InstallationCandidate) -> CandidateSortingKey: 
         """ 
         Function to pass as the `key` argument to a call to sorted() to sort 
         InstallationCandidates by preference. 
  
         Returns a tuple such that tuples sorting as greater using Python's 
         default comparison operator are more preferred. 
  
         The preference is as follows: 
  
         First and foremost, candidates with allowed (matching) hashes are 
         always preferred over candidates without matching hashes. This is 
         because e.g. if the only candidate with an allowed hash is yanked, 
         we still want to use that candidate. 
  
         Second, excepting hash considerations, candidates that have been 
         yanked (in the sense of PEP 592) are always less preferred than 
         candidates that haven't been yanked. Then: 
  
         If not finding wheels, they are sorted by version only. 
         If finding wheels, then the sort order is by version, then: 
           1. existing installs 
           2. wheels ordered via Wheel.support_index_min(self._supported_tags) 
           3. source archives 
         If prefer_binary was set, then all wheels are sorted above sources. 
  
         Note: it was considered to embed this logic into the Link 
               comparison operators, but then different sdist links 
               with the same version, would have to be considered equal 
         """ 
         valid_tags = self._supported_tags 
         support_num = len(valid_tags) 
         build_tag: BuildTag = () 
         binary_preference = 0 
         link = candidate.link 
         if link.is_wheel: 
             # can raise InvalidWheelFilename 
             wheel = Wheel(link.filename) 
             try: 
                 pri = -( 
                     wheel.find_most_preferred_tag( 
                         valid_tags, self._wheel_tag_preferences 
                     ) 
                 ) 
             except ValueError: 
                 raise UnsupportedWheel( 
                     "{} is not a supported wheel for this platform. It " 
                     "can't be sorted.".format(wheel.filename) 
                 ) 
             if self._prefer_binary: 
                 binary_preference = 1 
             if wheel.build_tag is not None: 
                 match = re.match(r"^(\d+)(.*)$", wheel.build_tag) 
                 build_tag_groups = match.groups() 
                 build_tag = (int(build_tag_groups[0]), build_tag_groups[1]) 
         else:  # sdist 
             pri = -(support_num) 
         has_allowed_hash = int(link.is_hash_allowed(self._hashes)) 
         yank_value = -1 * int(link.is_yanked)  # -1 for yanked. 
         return ( 
             has_allowed_hash, 
             yank_value, 
             binary_preference, 
             candidate.version, 
             pri, 
             build_tag, 
         ) 
                     continue
                 func = functools.partial(
                     self._make_candidate_from_link,

diff --git a/tests/data/indexes/yanked_all/simple/index.html b/tests/data/indexes/yanked_all/simple/index.html
@@ -0,0 +1,7 @@
+<html>
+  <body>
+    <a data-yanked="test reason message" href="../../../packages/simple-1.0.tar.gz">simple-1.0.tar.gz</a>
+    <a data-yanked="test reason message" href="../../../packages/simple-2.0.tar.gz">simple-2.0.tar.gz</a>
+    <a data-yanked="test reason message" href="../../../packages/simple-3.0.tar.gz">simple-3.0.tar.gz</a>
+  </body>
+</html>
diff --git a/tests/functional/test_install.py b/tests/functional/test_install.py
@@ -2030,6 +2030,24 @@ def test_install_yanked_file_and_print_warning(script, data):
     assert "Successfully installed simple-3.0\n" in result.stdout, str(result)
 
 
+def test_error_all_yanked_files_and_no_pin(script, data):
+    """
+    Test raising an error if there are only "yanked" files available and no pin
+    """
+    result = script.pip(
+        "install",
+        "simple",
+        "--index-url",
+        data.index_url("yanked_all"),
+        expect_error=True,
+    )
+    # Make sure an error is raised
+    assert (
+        result.returncode == 1
+        and "ERROR: No matching distribution found for simple\n" in result.stderr
+    ), str(result)
+
+
 @pytest.mark.parametrize(
     "install_args",
     [