Vulnerable dependecy to setuptools!?
Opened this issue · 0 comments
callebokedal commented
- safety version: 2.3.5
- Python version: Python 3.9.6
- Operating System: macOS 13.6 (22G120)
Description
Just installed safety in a new virtual enviroment. Seems like it has a dependency to vulnerable setuptools 58.0.4
What I Did
cd somefolder
python3 -m venv .safety-env
source .safety-env/bin/activate
pip install --upgrade pip # -> Successfully installed pip-23.2.1
pip install safety
pip freeze
# Result:
# certifi==2023.7.22
# charset-normalizer==3.3.0
# click==8.1.7
# dparse==0.6.3
# idna==3.4
# packaging==21.3
# pyparsing==3.1.1
# requests==2.31.0
# ruamel.yaml==0.17.35
# ruamel.yaml.clib==0.2.8
# safety==2.3.5
# tomli==2.0.1
# urllib3==2.0.6
# But then, after checking:
safety check
# I get info:
# -> Vulnerability found in setuptools version 58.0.4
# To check more, I install 'pipdeptree' and run it
pip install pipdeptree
pipdeptree -fl
# Result:
# pip==23.2.1
# pipdeptree==2.13.0
# safety==2.3.5
# click==8.1.7
# dparse==0.6.3
# packaging==21.3
# pyparsing==3.1.1
# tomli==2.0.1
# packaging==21.3
# pyparsing==3.1.1
# requests==2.31.0
# certifi==2023.7.22
# charset-normalizer==3.3.0
# idna==3.4
# urllib3==2.0.6
# ruamel.yaml==0.17.35
# ruamel.yaml.clib==0.2.8
# setuptools==58.0.4
# Suggestion - upgrade setuptools to >= 65.5.1
pip install --upgrade setuptools # -> 68.2.2