Bump setuptools from 70.3.0 to 78.1.1#251
Conversation
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: setuptools 70.3.0 → 78.1.1
Semver risk: Multi-major (8 major versions)
Dependency type: Build-only (not in [project].dependencies)
CI status: Linting passing; DMG/EXE builds in progress at review time
Changelog Analysis
Sources consulted:
- PR body (setuptools NEWS.rst, truncated)
Breaking changes:
- v78.0.0:
setup.cfgno longer accepts uppercase or dash-separated option names — not applicable: this repo usespyproject.tomlonly, with lowercase/underscore names throughout - v78.0.0: Reverted a prior distutils change that broke monkey-patching of command classes — net-neutral
Security fixes:
- v78.1.1: More fully sanitized the filename in
PackageIndex._download(pypa/setuptools#4946) — filename sanitization fix in the package download path
Other notable changes:
- v78.1.0: Restored access to
_get_vc_envwith a deprecation warning - v78.0.2: Postponed removal of deprecated
setup.cfgfields (all packages advised to migrate before 2026)
Compatibility Assessment
- Project uses affected APIs (
setup.cfguppercase/dash options): no - Peer dependency changes: none
- Code changes required: none
- Prior failed attempts: none noted
Recommendation
APPROVE — security fix for a build-only dependency; v78.0.0 breaking changes are not applicable to this project.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| "setuptools-scm>=8", | ||
| "setuptools>=64,<71", | ||
| "setuptools>=78.1.1,<79", | ||
| ] |
There was a problem hiding this comment.
praise: Pinning the lower bound to >=78.1.1 specifically ensures the security fix in pypa/setuptools#4946 is included, while <79 appropriately scopes to the 78.x series and avoids unknown future breaking changes from 79.x.
|
@dependabot recreate |
Bumps [setuptools](https://github.com/pypa/setuptools) from 70.3.0 to 78.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v70.3.0...v78.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-version: 78.1.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
b944a67 to
fac2d28
Compare
Bumps setuptools from 70.3.0 to 78.1.1.
Changelog
Sourced from setuptools's changelog.
... (truncated)
Commits
8e4868aBump version: 78.1.0 → 78.1.1100e9a6Merge pull request #49518faf1d7Add news fragment.2ca4a9fRely on re.sub to perform the decision in one expression.e409e80Extract _sanitize method for sanitizing the filename.250a6d1Add a check to ensure the name resolves relative to the tmpdir.d8390feExtract _resolve_download_filename with test.4e1e893Merge https://github.com/jaraco/skeleton3a3144fFix typo:pyproject.license->project.license(#4931)d751068Fix typo: pyproject.license -> project.license