From c869ea5a802d4966f2ea4c699d6066bc5a21127f Mon Sep 17 00:00:00 2001
From: isaacaman <amanme9285@gmail.com>
Date: Fri, 3 Oct 2025 08:59:54 +0530
Subject: [PATCH 1/6] docs: clarify dependency-confusion warning refers to
 --extra-index-url

Make the warning in the pip install docs explicitly name --extra-index-url
so readers cannot misinterpret which option the warning refers to.
---
 docs/html/cli/pip_install.rst | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst
index 00d7f7d23b1..056a2ac04d6 100644
--- a/docs/html/cli/pip_install.rst
+++ b/docs/html/cli/pip_install.rst
@@ -479,12 +479,11 @@ Examples
 
    .. warning::
 
-       Using this option to search for packages which are not in the main
-       repository (such as private packages) is unsafe, per a security
-       vulnerability called
-       `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_:
-       an attacker can claim the package on the public repository in a way that
-       will ensure it gets chosen over the private package.
+       Using the ``--extra-index-url`` option to search for packages which are
+       not in the main repository (for example, private packages) is unsafe.
+       This is a class of security issue known as dependency confusion — an
+       attacker can publish a package with the same name to a public index,
+       which may then be chosen instead of your private package.
 
    .. tab:: Unix/macOS
 

From f757681fc194b3a777c025757bbe3c2aa6bf90f1 Mon Sep 17 00:00:00 2001
From: isaacaman <amanme9285@gmail.com>
Date: Fri, 3 Oct 2025 10:30:50 +0530
Subject: [PATCH 2/6] news: add doc entry for --extra-index-url docs
 clarification (#13609)

---
 news/13609.doc.rst | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 news/13609.doc.rst

diff --git a/news/13609.doc.rst b/news/13609.doc.rst
new file mode 100644
index 00000000000..3d2ace48af2
--- /dev/null
+++ b/news/13609.doc.rst
@@ -0,0 +1 @@
+Clarify dependency-confusion warning applies to --extra-index-url
\ No newline at end of file

From dee2250610efb34c32db06ca117fb498e48487fc Mon Sep 17 00:00:00 2001
From: isaacaman <amanme9285@gmail.com>
Date: Fri, 3 Oct 2025 12:32:22 +0530
Subject: [PATCH 3/6] fix: add newline in news

---
 news/13609.doc.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/news/13609.doc.rst b/news/13609.doc.rst
index 3d2ace48af2..f922130294a 100644
--- a/news/13609.doc.rst
+++ b/news/13609.doc.rst
@@ -1 +1 @@
-Clarify dependency-confusion warning applies to --extra-index-url
\ No newline at end of file
+Clarify dependency-confusion warning applies to --extra-index-url

From 525e387306ffaf8584cc5cafd2e65454027e2193 Mon Sep 17 00:00:00 2001
From: Aman <amanme9285@gmail.com>
Date: Fri, 3 Oct 2025 13:49:19 +0530
Subject: [PATCH 4/6] docs: restore Azure mitigation link

---
 docs/html/cli/pip_install.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst
index 056a2ac04d6..2d2afc4f4fd 100644
--- a/docs/html/cli/pip_install.rst
+++ b/docs/html/cli/pip_install.rst
@@ -481,7 +481,7 @@ Examples
 
        Using the ``--extra-index-url`` option to search for packages which are
        not in the main repository (for example, private packages) is unsafe.
-       This is a class of security issue known as dependency confusion — an
+       This is a class of security issue known as `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_ — an
        attacker can publish a package with the same name to a public index,
        which may then be chosen instead of your private package.
 

From 4b52e80cf2e69a06af1aec016d467f05a238b525 Mon Sep 17 00:00:00 2001
From: Aman <amanme9285@gmail.com>
Date: Fri, 3 Oct 2025 14:17:02 +0530
Subject: [PATCH 5/6] Update docs/html/cli/pip_install.rst

Co-authored-by: Paul Moore <p.f.moore@gmail.com>
---
 docs/html/cli/pip_install.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst
index 2d2afc4f4fd..1e0decafddc 100644
--- a/docs/html/cli/pip_install.rst
+++ b/docs/html/cli/pip_install.rst
@@ -481,7 +481,7 @@ Examples
 
        Using the ``--extra-index-url`` option to search for packages which are
        not in the main repository (for example, private packages) is unsafe.
-       This is a class of security issue known as `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_ — an
+       This is a class of security issue known as `dependency confusion <https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/>`_: an
        attacker can publish a package with the same name to a public index,
        which may then be chosen instead of your private package.
 

From eaa8d8cd5e4f6d0c6303a7a3b0d28115eb980465 Mon Sep 17 00:00:00 2001
From: Richard Si <sichard26@gmail.com>
Date: Sun, 12 Oct 2025 19:24:58 -0400
Subject: [PATCH 6/6] Remove changelog entry

---
 news/13609.doc.rst | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 news/13609.doc.rst

diff --git a/news/13609.doc.rst b/news/13609.doc.rst
deleted file mode 100644
index f922130294a..00000000000
--- a/news/13609.doc.rst
+++ /dev/null
@@ -1 +0,0 @@
-Clarify dependency-confusion warning applies to --extra-index-url