Skip to content

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 4, 2025
Merged

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download #1165

merged 4 commits into from
Aug 4, 2025

Conversation

aparnajyothi-y
Copy link
Contributor

This PR upgrades the setuptools dependency to version 78.1.1, which includes a fix for a known path traversal vulnerability.
The issue stemmed from unsafe handling of URLs in PackageIndex.download, allowing an attacker to write arbitrary files via crafted URLs.

Impact:
The vulnerability could potentially allow arbitrary file writes during package downloads, especially in scenarios using deprecated mechanisms like easy_install.

Fix:
setuptools>=78.1.1 introduces proper sanitization for filenames derived from URLs, mitigating the risk.

Note:
This change also ensures compatibility with poetry and avoids dependency resolution failures triggered by older versions of setuptools.

Related issue:
Dependabot #172

aparnajyothi-y and others added 4 commits July 31, 2025 18:36
@Copilot Copilot AI review requested due to automatic review settings August 1, 2025 05:54
@aparnajyothi-y aparnajyothi-y requested a review from a team as a code owner August 1, 2025 05:54
Copilot
Copilot AI reviewed Aug 1, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR upgrades setuptools to version 78.1.1 to address a path traversal vulnerability in PackageIndex.download and ensures compatibility with newer Python versions.

  • Adds explicit setuptools dependency with minimum version 78.1.1 to mitigate security vulnerability
  • Updates minimum Python version requirement from 3.8 to 3.9
  • Addresses potential arbitrary file write risks during package downloads

@HarithaVattikuti HarithaVattikuti merged commit 9322b3c into actions:main Aug 4, 2025
1299 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@HarithaVattikuti HarithaVattikuti HarithaVattikuti approved these changes

@priyagupta108 priyagupta108 priyagupta108 approved these changes

@gowridurgad gowridurgad gowridurgad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aparnajyothi-y @HarithaVattikuti @priyagupta108 @gowridurgad