Updating setuptools to patch CVE-2025-47273 #22094
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkruskal-google
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
mkruskal-google
added
python
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
|
@mkruskal-google Can you allow tests to run again? I believe that my latest commit updating Bazel to 7.4.0 should fix this, at least partially. The reason why it wasn't working properly appears to have been bazelbuild/bazel#4327 , which was fixed in Bazel 7.4.0 . |
Actually — scratch that. The culprit seems to be a new bug that I seem to have found in Bazel bazelbuild/bazel#26255 :( I'll move this PR to Draft status while that Bazel bug is outstanding |
mkruskal-google
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
|
@mkruskal-google can you allow tests to run for this again? Per a suggestion from the Bazel team at bazelbuild/bazel#26255 (comment) I added an |
acozzette
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
|
@acozzette Thanks — looks like there are still some test failures here for a few reasons.
I believe that this can be updated in the files within
|
|
@aaronmaxlevy Thank you for all your work on this! Unfortunately upgrading our Bazel version is a non-trivial process, because there are a handful of Docker images that need to be rebuilt in addition to updating .bazeliskrc and the .yml files. I will try to find time to do that later this afternoon or tomorrow, though. Let me rerun the tests now to see if the CMake issue build error goes away. |
acozzette
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
|
No problem :) Happy to help. Looks like the CMake issue has resolved now, which is good. |
…d to fail on Windows and fallback to the default python path
aaronmaxlevy
force-pushed
the
aaron_update_setuptools
branch
from
8b55fb5 to
6ce6928
Compare
|
@acozzette the Windows test should pass now if you re-run it. Turns out that the Pip package installation stuff doesn't actually work on Windows. The current build process ends up falling back to the system python's installed version of setuptools on Windows from what I can tell, which is what I changed the new wrapper script to also do. See protobuf/python/dist/system_python.bzl Line 176 in 960e790 WARNING: could not install pip dependencies in the output, e.g. https://github.com/protocolbuffers/protobuf/actions/runs/16047228021/job/45281342761?pr=22509#step:4:566
|
acozzette
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
copybara-service bot
pushed a commit
that referenced
this pull request
Jul 7, 2025
This is necessary for upgrading setuptools, because older Bazel versions apparently can't handle whitespace in file names: #22094 PiperOrigin-RevId: 778242489
copybara-service bot
pushed a commit
that referenced
this pull request
Jul 7, 2025
This is necessary for upgrading setuptools, because older Bazel versions apparently can't handle whitespace in file names: #22094 PiperOrigin-RevId: 780210543
acozzette
added
the
🅰️ safe for tests
github-actions
bot
removed
the
🅰️ safe for tests
acozzette
approved these changes
Jul 7, 2025
|
@acozzette thank you so much for your help in getting this merged / rolled out! |
|
You're welcome and thank you for sending us the fix! |
|
No problem! |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Aug 16, 2025
⚠️ **CAUTION: this is a major update, indicating a breaking change!**⚠️ This MR contains the following updates: | Package | Update | Change | |---|---|---| | [protoc](https://github.com/protocolbuffers/protobuf) | major | `31.1` -> `32.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>protocolbuffers/protobuf (protoc)</summary> ### [`v32.0`](https://github.com/protocolbuffers/protobuf/releases/tag/v32.0): Protocol Buffers v32.0 [Compare Source](protocolbuffers/protobuf@v31.1...v32.0) ### Announcements - [Protobuf News](https://protobuf.dev/news/) may include additional announcements or pre-announcements for upcoming changes. ### Bazel - Migrates some Java test protos using java\_features.proto to edition 2024 (protocolbuffers/protobuf@6f4a990) - Add generated message reflection unittest for `import option` and `option_deps` test proto in edition 2024. (protocolbuffers/protobuf@c51df73) - Replace the usage of cc\_info.debug\_context with \_debug\_context (protocolbuffers/protobuf@776c5f2) - Generate .pyi files in py\_proto\_library ([#​10366](protocolbuffers/protobuf#10366)) ([#​21567](protocolbuffers/protobuf#21567)) (protocolbuffers/protobuf@e3e56c7) - Introduce denylisted\_protos as a preferred replacement for blacklisted\_protos attribute. (protocolbuffers/protobuf@795ab9d) - Use native.proto\_library for Bazel 7 and explicitly error for Bazel 6 which is incompatible and out of support. (protocolbuffers/protobuf@da0077e) - Require ProtoInfo provider instead of proto\_library rule for bazel cc\_proto\_library deps. (protocolbuffers/protobuf@639f1c9) ### Compiler - Strip extensions from option imports that are known in CollectExtensions due to polluted pool from protoc parse when used with protoc full + java built in generator. (protocolbuffers/protobuf@ef3f9ca) - Deprecate `google.protobuf.Method.syntax` and `google.protobuf.Method.edition` (protocolbuffers/protobuf@9ec241e) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Ban `import weak` and `weak` field option in edition 2024 in protoc (parser and c++ runtime). (protocolbuffers/protobuf@a2a0511) ### C++ - Strip extensions from option imports that are known in CollectExtensions due to polluted pool from protoc parse when used with protoc full + java built in generator. (protocolbuffers/protobuf@ef3f9ca) - Manually migrate top-level protobuf unittest protos from edition 2023 to edition 2024. (protocolbuffers/protobuf@7359f75) - Add generated message reflection unittest for `import option` and `option_deps` test proto in edition 2024. (protocolbuffers/protobuf@c51df73) - Remove the flag requirement for Bazel+MSVC users. (protocolbuffers/protobuf@c6ba697) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Cast GetCachedTID() to unsigned to prevent left-shifting a negative number. (protocolbuffers/protobuf@3e935cf) - Update comment at the top of message.h and message\_lite.h to document that it should only be extended by gencode and not user code. (protocolbuffers/protobuf@6a6ba52) - Treat warnings encountered in chromium builds as errors. (protocolbuffers/protobuf@21c3c53) - Ban `import weak` and `weak` field option in edition 2024 in protoc (parser and c++ runtime). (protocolbuffers/protobuf@a2a0511) ### Java - Strip extensions from option imports that are known in CollectExtensions due to polluted pool from protoc parse when used with protoc full + java built in generator. (protocolbuffers/protobuf@ef3f9ca) - Remove CollectExtensions check banning unknown custom options since unknown custom options are now expected when using `import option` and `option_deps` which exclude the options from the "builder" pool (aka "import" pool). (protocolbuffers/protobuf@694eedd) - Manually migrate top-level protobuf unittest protos from edition 2023 to edition 2024. (protocolbuffers/protobuf@7359f75) - Migrates some Java test protos using java\_features.proto to edition 2024 (protocolbuffers/protobuf@6f4a990) - Restore compatibility of runtime with pre-3.22.x gencode impacted by CVE-2022-3171 (protocolbuffers/protobuf@adf556f) - Update our compiled\_edition\_default's maximum\_edition to 2024 ([#​22870](protocolbuffers/protobuf#22870)) (protocolbuffers/protobuf@6216ae4) - Restore the long-deprecated static functions on TextFormat. (protocolbuffers/protobuf@5777d3b) - Add Kotlin class name helpers to names.h (protocolbuffers/protobuf@527b2ab) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Update Java gencode base class documentation to clarify that it is not supported to extend them. (protocolbuffers/protobuf@c3177fb) - Add a FieldMaskUtil#trim overload that accepts TrimOptions and allows retaining unset primitive field state. (protocolbuffers/protobuf@84c5b63) ### Csharp - Update staleness (protocolbuffers/protobuf@0014173) - Manually migrate top-level protobuf unittest protos from edition 2023 to edition 2024. (protocolbuffers/protobuf@7359f75) - Update our compiled\_edition\_default's maximum\_edition to 2024 ([#​22870](protocolbuffers/protobuf#22870)) (protocolbuffers/protobuf@6216ae4) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Include also ARM build of protoc in nuget package ([#​21568](protocolbuffers/protobuf#21568)) (protocolbuffers/protobuf@c2b4040) - Improve C# handling of Any JSON serialization/deserialization (protocolbuffers/protobuf@dc4e429) ### Objective-C - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) ### Rust - Rust: remove `DEP_UPB_VERSION` check in codegen crate ([#​22764](protocolbuffers/protobuf#22764)) (protocolbuffers/protobuf@6f6012a) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Update Rust generator to output minidescriptors instead of C minitables (protocolbuffers/protobuf@1b4b5fc) - Add \[clear\_and\_]parse\_dont\_enforce\_required() to Rust protobuf. (protocolbuffers/protobuf@e2fd7a0) - Add #\[non\_exhaustive] on the oneof-case enum (protocolbuffers/protobuf@aba2075) - Impl Clone for RepeatedIter (protocolbuffers/protobuf@aca1ed5) - *See also UPB changes below, which may affect Rust.* ### Python - Strip extensions from option imports that are known in CollectExtensions due to polluted pool from protoc parse when used with protoc full + java built in generator. (protocolbuffers/protobuf@ef3f9ca) - Manually migrate top-level protobuf unittest protos from edition 2023 to edition 2024. (protocolbuffers/protobuf@7359f75) - Raise warnings for float\_precision from python json\_format. ([#​23042](protocolbuffers/protobuf#23042)) (protocolbuffers/protobuf@1a7e012) - Raise warnings when assign bool to int/enum ([#​23030](protocolbuffers/protobuf#23030)) (protocolbuffers/protobuf@0b25f7b) - Update python edition default maximum edition to 2024 ([#​22889](protocolbuffers/protobuf#22889)) (protocolbuffers/protobuf@72abf95) - Make protobuf codebase compatible with `--incompatible_config_setting_private_default_visibility` ([#​22745](protocolbuffers/protobuf#22745)) (protocolbuffers/protobuf@5e2838e) - Add Python deprecation warnings for Descriptor Label. (protocolbuffers/protobuf@64a76e6) - Updating setuptools to patch CVE-2025-47273 ([#​22094](protocolbuffers/protobuf#22094)) (protocolbuffers/protobuf@508aba1) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Extend gencode compatibility support back to 3.20.0 (protocolbuffers/protobuf@1af7fd4) - Change proto\_api work with custom pool for upb and pure python. (protocolbuffers/protobuf@49d9e2d) - Python pyi print "import datetime" for Duration/Timestamp field (protocolbuffers/protobuf@f59b84a) - Add reference leak check to Python well\_known\_types\_test. Fix two refleak bugs. (protocolbuffers/protobuf@e5f9ab4) - Add reference leak check to Python timestamp\_test and duration\_test. Fix a refleak bug when assign datetime/duration to Timestamp/Duration (protocolbuffers/protobuf@e004c8b) - Add recursion depth limits to pure python (protocolbuffers/protobuf@17838be) - Remove calls to Label within Protobuf Python. (protocolbuffers/protobuf@f69180a) - Change Python .pyi stubs to generated \_Optional\[] for bool fields same with (protocolbuffers/protobuf@6972464) - Remove internal/api\_implementation.Version() (protocolbuffers/protobuf@cbad456) - Fix python proto\_api to work with messages that required fields are not set. (protocolbuffers/protobuf@f63ed55) - Fix python upb crashes on map/repeated reference stub destructor (protocolbuffers/protobuf@4274909) - Mark Py JSON float\_precision deprecated. (protocolbuffers/protobuf@727a8ed) ### PHP - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Fix(php): use count instead of ->count() to avoid bug in c-extension (protocolbuffers/protobuf@9fbce62) - \[php]\[compiler]\[ext] - Add missing has\* methods and other well known types ([#​20636](protocolbuffers/protobuf#20636)) (protocolbuffers/protobuf@01a7429) - Fix PHP 8.4 deprecation in GPBDecodeException ([#​21232](protocolbuffers/protobuf#21232)) (protocolbuffers/protobuf@676666e) ##### PHP C-Extension - Update our compiled\_edition\_default's maximum\_edition to 2024 ([#​22870](protocolbuffers/protobuf#22870)) (protocolbuffers/protobuf@6216ae4) - Change 'getLabel is deprecated' to E\_USER\_DEPRECATED (protocolbuffers/protobuf@158d8ac) - \[php]\[compiler]\[ext] - Add missing has\* methods and other well known types ([#​20636](protocolbuffers/protobuf#20636)) (protocolbuffers/protobuf@01a7429) - *See also UPB changes below, which may affect PHP C-Extension.* ### Ruby - Make protobuf codebase compatible with `--incompatible_config_setting_private_default_visibility` ([#​22745](protocolbuffers/protobuf#22745)) (protocolbuffers/protobuf@5e2838e) - Enable edition 2024 support in protoc and language generators for cpp, hpb, java, kotlin, objectivec, php, python, pyi, rust. (protocolbuffers/protobuf@26843b3) - Fix silent failure of `rb_test` rules to run test ([#​21733](protocolbuffers/protobuf#21733)) (protocolbuffers/protobuf@4f74764) ##### Ruby C-Extension - Update our compiled\_edition\_default's maximum\_edition to 2024 ([#​22870](protocolbuffers/protobuf#22870)) (protocolbuffers/protobuf@6216ae4) - Removed `wrap_memcpy.c` compatibility shim for pre-2.14 glibc (protocolbuffers/protobuf@4ba9733) - *See also UPB changes below, which may affect Ruby C-Extension.* ### UPB (Python/PHP/Ruby C-Extension) - Update our compiled\_edition\_default's maximum\_edition to 2024 ([#​22870](protocolbuffers/protobuf#22870)) (protocolbuffers/protobuf@6216ae4) - Make protobuf codebase compatible with `--incompatible_config_setting_private_default_visibility` ([#​22745](protocolbuffers/protobuf#22745)) (protocolbuffers/protobuf@5e2838e) - Add upb\_Message\_SetExtensionMessage as a helper for setting a extension field that is a message. This is the extension equivalent of upb\_Message\_SetBaseFieldMessage. (protocolbuffers/protobuf@f15d28a) ### Other - Update github major version tags to be formatted v<MAJOR>.<MINOR>.<MICRO>-<language> for clarity (protocolbuffers/protobuf@e001d57) - Upgrade Abseil dependency to [`2025051`](https://github.com/protocolbuffers/protobuf/commit/20250512).1 (protocolbuffers/protobuf@ee68ed1) - Patch `rules_ruby` to apply `neverlink = True` to the `jars` rule ([#​21416](protocolbuffers/protobuf#21416)) (protocolbuffers/protobuf@88e11bd) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS43My4yIiwidXBkYXRlZEluVmVyIjoiNDEuNzMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating setuptools to patch CVE-2025-47273
Also updated Bazel to 7.4.0 due to bazelbuild/bazel#4327
Fixes #22165