Skip to content

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 1, 2025
Merged

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download #8

merged 2 commits into from
Aug 1, 2025

Conversation

aparnajyothi-y
Copy link
Owner

Description:
This PR upgrades the setuptools dependency to version 78.1.1, which includes a fix for a known path traversal vulnerability.
The issue stemmed from unsafe handling of URLs in PackageIndex.download, allowing an attacker to write arbitrary files via crafted URLs.

Impact:
The vulnerability could potentially allow arbitrary file writes during package downloads, especially in scenarios using deprecated mechanisms like easy_install.

Fix:
setuptools>=78.1.1 introduces proper sanitization for filenames derived from URLs, mitigating the risk.

Note:
This change also ensures compatibility with poetry and avoids dependency resolution failures triggered by older versions of setuptools.

Related issue:
Dependabot #172

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

@aparnajyothi-y aparnajyothi-y merged commit 4052b4d into main Aug 1, 2025
1199 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aparnajyothi-y