From fbd11c6d443ea93ab90cd011a34f8078e3cffd31 Mon Sep 17 00:00:00 2001
From: Reinier Criel <reinier.criel@gmail.com>
Date: Wed, 12 Nov 2025 14:01:06 -0800
Subject: [PATCH] Update

---
 packages/safe-chain/src/packagemanager/pip/runPipCommand.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
index 0f5e697..f3e7aa9 100644
--- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
+++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
@@ -24,13 +24,14 @@ export async function runPip(command, args) {
     if (!env.REQUESTS_CA_BUNDLE) {
       env.REQUESTS_CA_BUNDLE = combinedCaPath;
     }
+
+    // https://pip.pypa.io/en/stable/topics/https-certificates/ explains that the --cert option (which we're providing via both INI and PIP_CERT)
+    // Testing has shown that REQUESTS_CA_BUNDLE alone is not sufficient; PIP_CERT, SSL_CERT_FILE, or pip config cert is also needed in some cases.
     
     if (!env.SSL_CERT_FILE) {
       env.SSL_CERT_FILE = combinedCaPath;
     }
 
-    // https://pip.pypa.io/en/stable/topics/https-certificates/ explains that the --cert option (which we're providing via both INI and PIP_CERT)
-    // is necessary for pip to use custom certs for later versions.
     if (!env.PIP_CERT) {
       env.PIP_CERT = combinedCaPath;
     }