Pinning wheel at version 0.46.3#1124
Conversation
|
Hey thanks for taking a look at this PR. I realize that bumping setuptools was an approach that was discussed in the past and would diverge from the I mainly wanted to open this PR because wheel re-added the functionality they previously removed, and I wasn't sure if you all were aware. Unfortunately, just bumping wheel doesn't remove the CVE finding, because setuptools also bundles wheel at an earlier version. I'm not seeing a way to remove the CVE finding without bumping setuptools, but that still may not be acceptable in this repo. I'm happy to close this PR or take another approach if needed, this might not be the right place to bump these versions. Let me know either way! |
| @@ -25,7 +25,7 @@ | |||
| } | |||
| }, | |||
| "setuptools": { | |||
| "version": "79.0.1" | |||
| "version": "81.0.0" | |||
There was a problem hiding this comment.
Bumping setuptools is a no-go, but the wheel bump is probably fine?
There was a problem hiding this comment.
Yeah fair enough - I'll revert the setuptools bump.
2 participants
wheel <= 0.46.1 currently has a high severity CVE, and the version pinned in this repo is affected. The pin was originally due to wheel 0.46.0 removing
bdist_wheel, but it was later re-added in 0.46.2, with a related fix in 0.46.3. Would it be possible to pin at 0.46.3 now, since the version fixes the CVE and won't break earlier versions of setuptools?Related issues:
CVE-2026-24049 for wheel <=0.46.1
wheel 0.46.0 release had breaking changes