pex 2.1.103 uses pip 20.3.4; pip 20.3.4 has vulnerability CVE-2021-3572

[hpatelbitglass]

More info regarding the vulnerability can be found at: https://avd.aquasec.com/nvd/2021/cve-2021-3572/
Fixed pip version 21.1
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

[jsirois]

Thanks. This will be fixed as part of #1805 - namely, we have other reasons to want to upgrade Pip.

[jsirois]

With the release of Pex 2.1.104 there is now the option to use --pip-version 22.2.2 which will have the vendored Pip used 1 time to download the 22.2.2 version of Pip which will be used from then forward whenever --pip=version 22.2.2 is specified. This is much akin to pip install -U pip.

[jsirois]

I'll re-open and let #3057 re-close this with the release of Pex 2.77.0 with the caveat, as explained in #2785 (comment) of vendored pip only being elided if you are installing Pex for a Python>=3.12 venv.