Update version of setuptools required to 78.1.1 #950
+14
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is to address a recent security scan warning, https://github.com/quantumlib/qsim/security/code-scanning/86, about a vulnerability in [setuptools versions before 78.1.1](GHSA-5rjg-fvgr-3xxf).
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the required version of setuptools to 78.1.1 to address a security vulnerability. The changes in requirements.txt and setup.py correctly apply this update. My review includes two high-severity recommendations to improve your project's dependency management and align with modern Python packaging standards. First, I suggest removing build-time dependencies like setuptools from requirements.txt to prevent them from being incorrectly treated as runtime dependencies. Second, I recommend migrating build dependencies from the deprecated setup_requires in setup.py to a [build-system] table in pyproject.toml, which is the standard practice.
This addresses a point made by Gemini Code Assist in review: > `setuptools` is a build-time dependency, not a runtime dependency. It > should not be listed in `requirements.txt` because this file's contents > are passed to `install_requires` in `setup.py` (line 148). This forces users > of your library to install `setuptools`, which is unnecessary.
This addresses a point made by Gemini Code Assist in review: > `setup_requires` is a deprecated and problematic way to specify > build-time dependencies. The modern, PEP 518-compliant way is to > specify them in `pyproject.toml`.
May as well have a configuration for this, even though we have only one TOML file (`pyproject.toml`).
github-actions
bot
added
size: S
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is to address a recent security scan warning, about a vulnerability in setuptools versions before 78.1.1.
In response to review comments by Gemini Code Assist, I also:
setup_requiresfield ofsetup.pyintopyproject.tomlrequirements.txttodev-requirements.txtI also made a drive-by addition to
.editorconfigto add an indentation rule for.tomlfiles.