[Security] Bump setuptools from 69.1.0 to 70.0.0
Bumps setuptools from 69.1.0 to 70.0.0. This update includes a security fix.
Vulnerabilities fixed
setuptools vulnerable to Command Injection via package URL
A vulnerability in thepackage_index
module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.Patched versions: 70.0.0
Affected versions: < 70.0.0
Changelog
Sourced from setuptools's changelog.
v70.0.0
Features
- Emit a warning when
[tools.setuptools]
is present inpyproject.toml
and will be ignored. -- by :user:SnoopJ
(#4150)- Improved
AttributeError
error message ifpkg_resources.EntryPoint.require
is called without extras or distribution Gracefully "do nothing" when trying to activate apkg_resources.Distribution
with aNone
location, rather than raising aTypeError
-- by :user:Avasam
(#4262)- Typed the dynamically defined variables from
pkg_resources
-- by :user:Avasam
(#4267)- Modernized and refactored VCS handling in package_index. (#4332)
Bugfixes
- In install command, use super to call the superclass methods. Avoids race conditions when monkeypatching from _distutils_system_mod occurs late. (#4136)
- Fix finder template for lenient editable installs of implicit nested namespaces constructed by using
package_dir
to reorganise directory structure. (#4278)- Fix an error with
UnicodeDecodeError
handling inpkg_resources
when trying to read files in UTF-8 with a fallback -- by :user:Avasam
(#4348)Improved Documentation
- Uses RST substitution to put badges in 1 line. (#4312)
Deprecations and Removals
Further adoption of UTF-8 in
setuptools
. This change regards mostly files produced and consumed during the build process (e.g. metadata files, script wrappers, automatically updated config files, etc..) Although precautions were taken to minimize disruptions, some edge cases might be subject to backwards incompatibility.Support for
"locale"
encoding is now deprecated. (#4309)Remove
setuptools.convert_path
after long deprecation period. This function was never defined bysetuptools
itself, but rather a side-effect of an import for internal usage. (#4322)Remove fallback for customisations of
distutils
'build.sub_command
after long deprecated period. Users are advised to importbuild
directly fromsetuptools.command.build
. (#4322)Removed
typing_extensions
from vendored dependencies -- by :user:Avasam
(#4324)Remove deprecated
setuptools.dep_util
. The provided alternative issetuptools.modified
. (#4360)
... (truncated)
Commits
-
5cbf12a
Workaround for release error in v70 -
9c1bcc3
Bump version: 69.5.1 → 70.0.0 -
4dc0c31
Remove deprecatedsetuptools.dep_util
(#4360) -
6c1ef57
Remove xfail now that test passes. Ref #4371. -
d14fa01
Add all site-packages dirs when creating simulated environment for test_edita... -
6b7f7a1
Preventbin
folders to be taken as extern packages when vendoring (#4370) -
69141f6
Add doctest for vendorised bin folder -
2a53cc1
Prevent 'bin' folders to be taken as extern packages -
7208628
Replace call to deprecatedvalidate_pyproject
command (#4363) -
96d681a
Remove call to deprecated validate_pyproject command - Additional commits viewable in compare view