could you please upgrade setuptools version to latest

[RohitThakur92]

I am using python:3.11-alpine3.21 docker image from docker hub however this docker image is having one high level of vulnerability which is related to setuptools library. I would recommend you to upgrade the setuptools version from 65.5.1 to 76.1.0, which can help us to resolve the currently present vulnerability and republish the docker image to dockerhub

[edmorley]

These images by design use the pip/setuptools versions that are bundled with the version of Python being installed.

Python 3.11 comes with setuptools v65.5.0:
https://github.com/python/cpython/tree/3.11/Lib/ensurepip/_bundled

So this is expected, and not something that will be changed in these images. (Updating to setuptools 70+ would be a breaking change for a start.)

You will either need to either:

1. Update to Python 3.12 or newer (which no longer bundles setuptools)
2. Update setuptools in your own Dockerfile
3. Ask upstream CPython to update to newer setuptools in Python 3.11
4. Suppress the vulnerability alert if appropriate (you didn't say what vulnerability you were referring to, but it's quite possible it's a non-issue in practice - many setuptools codepaths are not used when it's used as a pip build backend, or need several other criteria to be a problem etc)

See also:

• Vulnerability with setuptools < 70.0.0 (CVE-2024-6345) #942
• Stop including setuptools and wheel in Python 3.12+ images #952

[yosifkit]

These images by design use the pip/setuptools versions that are bundled with the version of Python being installed.

@edmorley is correct. We do not update setuptools in the image; we just include the bundled version. See also #781 (comment)

[edmorley]

It looks like upstream CPython has now updated setuptools in all non-EOL Python versions that still ship it (so 3.9, 3.10, 3.11):

• [CVE-2025-47273, CVE-2024-6345] in setuptools 67.6.1 bundled with Python 3.12 Runtime python/cpython#135374
• [3.9] gh-135374: Update the bundled copy of setuptools to 79.0.1 python/cpython#135397
• [3.10] gh-135374: Update the bundled copy of setuptools to 79.0.1 python/cpython#135398
• [3.11] gh-135374: Update the bundled copy of setuptools to 79.0.1 python/cpython#135396

This change hasn't yet been released upstream, but will be made available during the next patch release for those older versions (which happens sporadically; typically when there are a collection of security fixes that need to be released).

I believe the image building scripts in this repo will automatically pick up the change, since they use the setuptools version from upstream (with the exception of a 65.5.0 -> 65.5.1 mapping, which will now be redundant and a no-op):

python/versions.sh

Lines 162 to 188 in 3fae0a1

	# TODO remove setuptools version handling entirely once Python 3.11 is EOL
	setuptoolsVersion="$(sed -nre 's/^_SETUPTOOLS_VERSION[[:space:]]*=[[:space:]]*"(.*?)".*/\1/p' <<<"$ensurepipVersions")"
	case "$rcVersion" in
	3.9 | 3.10 | 3.11)
	if [ -z "$setuptoolsVersion" ]; then
	echo >&2 "error: $version: missing setuptools version"
	exit 1
	fi
	if ! wget -q -O /dev/null -o /dev/null --spider "https://pypi.org/pypi/setuptools/$setuptoolsVersion/json"; then
	echo >&2 "error: $version: setuptools version ($setuptoolsVersion) seems to be invalid?"
	exit 1
	fi
	# https://github.com/docker-library/python/issues/781 (TODO remove this if 3.10 and 3.11 embed a newer setuptools and this section no longer applies)
	if [ "$setuptoolsVersion" = '65.5.0' ]; then
	setuptoolsVersion='65.5.1'
	fi
	;;
	*)
	# https://github.com/python/cpython/issues/95299 -> https://github.com/python/cpython/commit/ece20dba120a1a4745721c49f8d7389d4b1ee2a7
	if [ -n "$setuptoolsVersion" ]; then
	echo >&2 "error: $version: unexpected setuptools: $setuptoolsVersion"
	exit 1
	fi
	;;
	esac

Once the upstream changes are released, we could probably simplify/clean-up the versioning script further (like we did for the pip/wheel versions), since we'd never be customising the version in practice any more.