Hi, I’ve run into issues with two dependencies while updating an application that uses pycpix. These dependency versions are now flagged as vulnerable by our security tooling, so I wanted to raise them here.
protobuf 3.20.x
protobuf 3.20.x is affected by the following CVEs:
The Widevine _pb2.py file would need to be regenerated with a modern version of protobuf. A workaround exists where environment variable PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python can be set… but ideally this wouldn’t be required.
setuptools 70.x.x
setuptools 70.x.x is affected by:
It appears pycpix pins this older version due to the known upstream setuptools issue:
pypa/setuptools#4483
Environment
Python version: 3.13
OS: Ubuntu 22.04
pycpix version: 1.4.1
Thanks for maintaining the project!
Hi, I’ve run into issues with two dependencies while updating an application that uses pycpix. These dependency versions are now flagged as vulnerable by our security tooling, so I wanted to raise them here.
protobuf 3.20.x
protobuf 3.20.x is affected by the following CVEs:
The Widevine _pb2.py file would need to be regenerated with a modern version of protobuf. A workaround exists where environment variable
PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=pythoncan be set… but ideally this wouldn’t be required.setuptools 70.x.x
setuptools 70.x.x is affected by:
It appears pycpix pins this older version due to the known upstream setuptools issue:
pypa/setuptools#4483
Environment
Python version: 3.13
OS: Ubuntu 22.04
pycpix version: 1.4.1
Thanks for maintaining the project!