Skip to content

fix(deps): update dependency setuptools to v83 [security]#1886

Open
oep-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-setuptools-vulnerability
Open

fix(deps): update dependency setuptools to v83 [security]#1886
oep-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-setuptools-vulnerability

Conversation

@oep-renovate

@oep-renovate oep-renovate Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
setuptools (changelog) ==78.1.1==83.0.0 age confidence
setuptools (changelog) ==80.10.2==83.0.0 age confidence

BIT-setuptools-2026-59890 / CVE-2026-59890 / GHSA-h35f-9h28-mq5c / PYSEC-2026-3447

More information

Details

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).


Release Notes

pypa/setuptools (setuptools)

v83.0.0

Compare Source

v82.0.1

Compare Source

v82.0.0

Compare Source

v81.0.0

Compare Source

v80.10.2

Compare Source

v80.10.1

Compare Source

v80.9.0

Compare Source

v80.8.0

Compare Source

v80.7.1

Compare Source

v80.7.0

Compare Source

v80.6.0

Compare Source

v80.4.0

Compare Source

v80.3.1

Compare Source

v80.3.0

Compare Source

v80.2.0

Compare Source

v80.1.0

Compare Source

v80.0.1

Compare Source

v80.0.0

Compare Source

v79.0.1

Compare Source

v79.0.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
@oep-renovate

oep-renovate Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: interactive_ai/workflows/train/trainer/uv.lock
Command failed: uv lock --upgrade-package setuptools
Using CPython 3.10.20 interpreter at: /opt/containerbase/tools/python/3.10.20/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.10.*' and platform_machine != 's390x' and
  │ sys_platform == 'darwin'):
  ╰─▶ Because otx==2.6.0 depends on setuptools==78.1.1 and your project
      depends on otx==2.6.0, we can conclude that your project depends on
      setuptools==78.1.1.
      And because your project depends on setuptools==83.0.0, we can conclude
      that your project's requirements are unsatisfiable.

hint: The resolution failed for an environment that is not the current one, consider limiting the environments with `tool.uv.environments`.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants