You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The release/2.0 branch ships Python toolchain versions with several known high-severity CVEs that have already been fixed on main but were not backported. Bumping the 2.0 series would let downstream users pick up these fixes without a major-version migration.
The interpreter binary and the setuptools/_vendor/* bundle shipped inside the python-build-standalone archives that current release/2.0 toolchains point at are flagged with the following CVEs. Each row shows the minimum Python patch release that contains a fix, and whether the release/2.0 default mapping currently satisfies it.
jaraco.context (vendored at setuptools/_vendor/jaraco.context-*) — affected >=5.2.0, <6.1.0
Same as above (setuptools ≥ 80.10 vendors jaraco.context 6.1.0)
vulnerable on every minor
All three are remediated together by the toolchain bumps introduced in #3708, since the newer python-build-standalone releases pulled in by that PR ship both the patched interpreter and an updated setuptools bundle.
What this would unblock
A 2.0.2 patch release containing #3708 would let release/2.0 consumers move from 3.11.14 → 3.11.15, 3.12.12 → 3.12.13, 3.10.19 → 3.10.20 (and matching 3.13/3.14 minor bumps) by just bumping bazel_dep(name = "rules_python", version = "2.0.2") and updating minor_mapping.
What version of
rules_pythondo you want to patch?2.0.x(currently2.0.1). The default toolchain mapping onrelease/2.0is:The
release/2.0branch ships Python toolchain versions with several known high-severity CVEs that have already been fixed onmainbut were not backported. Bumping the2.0series would let downstream users pick up these fixes without a major-version migration.What pull requests do you want to backport?
feat(toolchains): Add 3.10.20, 3.11.15, 3.12.13, 3.13.{12,13}, 3.14.{3,4}, 3.15.0a8Why (security context)
The interpreter binary and the
setuptools/_vendor/*bundle shipped inside thepython-build-standalonearchives that currentrelease/2.0toolchains point at are flagged with the following CVEs. Each row shows the minimum Python patch release that contains a fix, and whether therelease/2.0default mapping currently satisfies it.release/2.0default statushttp.client— memory DoS on attacker-controlledContent-Lengthwheel(vendored atsetuptools/_vendor/wheel-*) — affected>=0.40.0, <=0.46.1setuptools ≥ 80.10(vendorswheel 0.46.3); i.e. ≥ release20260414, which maps to 3.10.20 / 3.11.15 / 3.12.13 / 3.13.12 / 3.14.3wheel 0.45.1)jaraco.context(vendored atsetuptools/_vendor/jaraco.context-*) — affected>=5.2.0, <6.1.0setuptools ≥ 80.10vendorsjaraco.context 6.1.0)All three are remediated together by the toolchain bumps introduced in #3708, since the newer
python-build-standalonereleases pulled in by that PR ship both the patched interpreter and an updatedsetuptoolsbundle.What this would unblock
A
2.0.2patch release containing #3708 would letrelease/2.0consumers move from3.11.14 → 3.11.15,3.12.12 → 3.12.13,3.10.19 → 3.10.20(and matching3.13/3.14minor bumps) by just bumpingbazel_dep(name = "rules_python", version = "2.0.2")and updatingminor_mapping.