fix(deps): update dependency setuptools to v78 [security] #50

renovate · 2025-05-19T23:53:26Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
setuptools (changelog)	`^75.0.0` -> `^78.0.0`
setuptools (changelog)	`==75.1.0` -> `==78.1.1`

GitHub Vulnerability Alerts

CVE-2025-47273

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details

    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)

Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946

Release Notes

pypa/setuptools (setuptools)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2025-05-19T23:53:27Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...

Creating virtualenv encryption-helper-cGULurH--py3.13 in /home/ubuntu/.cache/pypoetry/virtualenvs

The current project's supported Python range (>=3.8,<4.0) is not compatible with some of the required packages Python requirement:
  - setuptools requires Python >=3.9, so it will not be satisfied for Python >=3.8,<3.9
  - setuptools requires Python >=3.9, so it will not be satisfied for Python >=3.8,<3.9
  - setuptools requires Python >=3.9, so it will not be satisfied for Python >=3.8,<3.9
  - setuptools requires Python >=3.9, so it will not be satisfied for Python >=3.8,<3.9

Because no versions of setuptools match >=78.0.0,<78.0.1 || >78.0.1,<78.0.2 || >78.0.2,<78.1.0 || >78.1.0,<78.1.1 || >78.1.1,<79.0.0
 and setuptools (78.0.1) requires Python >=3.9, setuptools is forbidden.
And because setuptools (78.0.2) requires Python >=3.9
 and setuptools (78.1.0) requires Python >=3.9, setuptools is forbidden.
So, because setuptools (78.1.1) requires Python >=3.9
 and encryption-helper depends on setuptools (>=78.0.0,<79.0.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For setuptools, a possible solution would be to set the `python` property to ">=3.9,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.9,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.9,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.9,<4.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers

fix(deps): update dependency setuptools to v78 [security]

64c08ea

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency setuptools to v78 [security] #50

fix(deps): update dependency setuptools to v78 [security] #50

Uh oh!

renovate bot commented May 19, 2025

Uh oh!

renovate bot commented May 19, 2025

Uh oh!

Uh oh!

fix(deps): update dependency setuptools to v78 [security] #50

Are you sure you want to change the base?

fix(deps): update dependency setuptools to v78 [security] #50

Uh oh!

Conversation

renovate bot commented May 19, 2025

GitHub Vulnerability Alerts

Summary

Details

Risk Assessment

Impact

References

Release Notes

Configuration

Uh oh!

renovate bot commented May 19, 2025

⚠️ Artifact update problem

File name: poetry.lock

Uh oh!

Uh oh!