Skip to content

fix: Bump setuptools to patch CVE-2024-6345#828

Merged
sharmabikram merged 3 commits intomasterfrom
shbikram/fix-setuptools
Apr 27, 2026
Merged

fix: Bump setuptools to patch CVE-2024-6345#828
sharmabikram merged 3 commits intomasterfrom
shbikram/fix-setuptools

Conversation

@sharmabikram
Copy link
Copy Markdown
Contributor

@sharmabikram sharmabikram commented Apr 24, 2026

Replace setuptools==66.1.1 with setuptools>=75.0 to address CVE-2024-6345. Modernize build command from deprecated 'python setup.py sdist bdist_wheel' to 'python -m build', which requires the build package.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

@sharmabikram
fix: Bump setuptools to patch CVE-2024-6345
b663554 
Replace setuptools==66.1.1 with setuptools>=75.0 to address
CVE-2024-6345. Modernize build command from deprecated
'python setup.py sdist bdist_wheel' to 'python -m build',
which requires the build package.
@sharmabikram sharmabikram requested a review from a team as a code owner April 24, 2026 20:18
@sharmabikram
fix: Add dev_requirements to MANIFEST.in
a384259 
Include dev_requirements in source distribution so the
sourcebuildcheck tox environment can find
test-requirements.txt in the extracted tarball.
@sharmabikram
fix: Update sdist glob pattern for PEP 625 naming
e1a68ea 
Newer setuptools normalizes package names using underscores
instead of hyphens in sdist filenames (PEP 625). Update the
glob pattern in source-build-check.sh to match both formats.
lucasmcdonald3
lucasmcdonald3 approved these changes Apr 27, 2026
View reviewed changes
Comment thread dev_requirements/release-requirements.txt
Comment on lines +2 to +3
setuptools>=75.0
build>=1.0
Copy link
Copy Markdown

@lucasmcdonald3 lucasmcdonald3 Apr 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
setuptools>=75.0
build>=1.0
setuptools>=75.0,<76
build>=1.0,<2

nit: Ideally we wouldn't automatically pull in a breaking change, this can bite us by making our release workflow fail without us realizing why. (That happened to Jose 1-2 weeks ago.) But not a big deal for this repo

@sharmabikram sharmabikram merged commit 09e2740 into master Apr 27, 2026
41 checks passed
@sharmabikram sharmabikram deleted the shbikram/fix-setuptools branch April 27, 2026 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucasmcdonald3 lucasmcdonald3 lucasmcdonald3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sharmabikram @lucasmcdonald3