chore(deps): update dependency pip to v26 [security] (#16828)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pip](https://redirect.github.com/pypa/pip)
([changelog](https://pip.pypa.io/en/stable/news/)) | `==25.0.1` →
`==26.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/pip/26.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pip/25.0.1/26.0?slim=true)
|

---

### pip's fallback tar extraction doesn't check symbolic links point to
extraction directory
[CVE-2025-8869](https://nvd.nist.gov/vuln/detail/CVE-2025-8869) /
[GHSA-4xh5-x5gv-qwph](https://redirect.github.com/advisories/GHSA-4xh5-x5gv-qwph)

<details>
<summary>More information</summary>

#### Details
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are remediated
by using a Python version that implements PEP 706. Note that this is a
vulnerability in pip's fallback implementation of tar extraction for
Python versions that don't implement PEP 706 and therefore are not
secure to all vulnerabilities in the Python 'tarfile' module. If you're
using a Python version that implements PEP 706 then pip doesn't use the
"vulnerable" fallback code. Mitigations include upgrading to a version
of pip that includes the fix, upgrading to a Python version that
implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12),
applying the linked patch, or inspecting source distributions (sdists)
before installation as is already a best-practice.

#### Severity
- CVSS Score: 5.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-8869](https://nvd.nist.gov/vuln/detail/CVE-2025-8869)
-
[https://github.com/pypa/pip/pull/13550](https://redirect.github.com/pypa/pip/pull/13550)
-
[https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN](https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN)
-
[https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a](https://redirect.github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a)
-
[https://pip.pypa.io/en/stable/news/#v25-2](https://pip.pypa.io/en/stable/news/#v25-2)
-
[https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html](https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html)
-
[https://github.com/advisories/GHSA-4xh5-x5gv-qwph](https://redirect.github.com/advisories/GHSA-4xh5-x5gv-qwph)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-4xh5-x5gv-qwph)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### pip Path Traversal vulnerability
[CVE-2026-1703](https://nvd.nist.gov/vuln/detail/CVE-2026-1703) /
[GHSA-6vgw-5pg2-w6jp](https://redirect.github.com/advisories/GHSA-6vgw-5pg2-w6jp)

<details>
<summary>More information</summary>

#### Details
When pip is installing and extracting a maliciously crafted wheel
archive, files may be extracted outside the installation directory. The
path traversal is limited to prefixes of the installation directory,
thus isn't able to inject or overwrite executable files in typical
situations.

#### Severity
- CVSS Score: 2.0 / 10 (Low)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-1703](https://nvd.nist.gov/vuln/detail/CVE-2026-1703)
-
[https://github.com/pypa/pip/pull/13777](https://redirect.github.com/pypa/pip/pull/13777)
-
[https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735](https://redirect.github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735)
-
[https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ](https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ)
-
[https://github.com/advisories/GHSA-6vgw-5pg2-w6jp](https://redirect.github.com/advisories/GHSA-6vgw-5pg2-w6jp)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-6vgw-5pg2-w6jp)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>pypa/pip (pip)</summary>

### [`v26.0`](https://redirect.github.com/pypa/pip/compare/25.3...26.0)

[Compare
Source](https://redirect.github.com/pypa/pip/compare/25.3...26.0)

### [`v25.3`](https://redirect.github.com/pypa/pip/compare/25.2...25.3)

[Compare
Source](https://redirect.github.com/pypa/pip/compare/25.2...25.3)

###
[`v25.2`](https://redirect.github.com/pypa/pip/compare/25.1.1...25.2)

[Compare
Source](https://redirect.github.com/pypa/pip/compare/25.1.1...25.2)

###
[`v25.1.1`](https://redirect.github.com/pypa/pip/compare/25.1...25.1.1)

[Compare
Source](https://redirect.github.com/pypa/pip/compare/25.1...25.1.1)

###
[`v25.1`](https://redirect.github.com/pypa/pip/compare/25.0.1...25.1)

[Compare
Source](https://redirect.github.com/pypa/pip/compare/25.0.1...25.1)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/google-cloud-python).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Author: renovate-bot

packages/google-crc32c/scripts/requirements.txt

@@ -31,9 +31,9 @@ wheel==0.46.2 \
     # via -r requirements.in
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==25.0.1 \
-    --hash=sha256:88f96547ea48b940a3a385494e181e29fb8637898f88d88737c5049780f196ea \
-    --hash=sha256:c46efd13b6aa8279f33f2864459c8ce587ea6a1a59ee20de055868d8f7688f7f
+pip==26.0 \
+    --hash=sha256:3ce220a0a17915972fbf1ab451baae1521c4539e778b28127efa79b974aff0fa \
+    --hash=sha256:98436feffb9e31bc9339cf369fd55d3331b1580b6a6f1173bacacddcf9c34754
     # via -r requirements.in
 setuptools==78.1.0 \
     --hash=sha256:18fd474d4a82a5f83dac888df697af65afa82dec7323d09c3e37d1f14288da54 \