From b663554f76e94645ba05d55db9e57a7b5b50dd18 Mon Sep 17 00:00:00 2001 From: Bikram Sharma Date: Fri, 24 Apr 2026 13:14:17 -0700 Subject: [PATCH 1/3] fix: Bump setuptools to patch CVE-2024-6345 Replace setuptools==66.1.1 with setuptools>=75.0 to address CVE-2024-6345. Modernize build command from deprecated 'python setup.py sdist bdist_wheel' to 'python -m build', which requires the build package. --- dev_requirements/release-requirements.txt | 3 ++- tox.ini | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dev_requirements/release-requirements.txt b/dev_requirements/release-requirements.txt index fa2ef83b..71817525 100644 --- a/dev_requirements/release-requirements.txt +++ b/dev_requirements/release-requirements.txt @@ -1,5 +1,6 @@ pypi-parker==0.1.2 -setuptools==66.1.1 +setuptools>=75.0 +build>=1.0 twine==3.8.0 wheel==0.38.4 #This is required for twine < 4.0 diff --git a/tox.ini b/tox.ini index 9024f22b..b62af069 100644 --- a/tox.ini +++ b/tox.ini @@ -403,7 +403,7 @@ basepython = python3 skip_install = true deps = -rdev_requirements/release-requirements.txt commands = - python setup.py sdist bdist_wheel + python -m build [testenv:release-base] basepython = python3 From a384259cb42f4f0f5450c494581ea2faafcfa187 Mon Sep 17 00:00:00 2001 From: Bikram Sharma Date: Fri, 24 Apr 2026 13:31:35 -0700 Subject: [PATCH 2/3] fix: Add dev_requirements to MANIFEST.in Include dev_requirements in source distribution so the sourcebuildcheck tox environment can find test-requirements.txt in the extracted tarball. --- MANIFEST.in | 1 + 1 file changed, 1 insertion(+) diff --git a/MANIFEST.in b/MANIFEST.in index a88526aa..b8305a57 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -8,5 +8,6 @@ recursive-exclude doc .DS_Store *.pyc prune doc/build prune doc/lib/generated +recursive-include dev_requirements * recursive-include test * recursive-exclude test .DS_Store *.pyc \ No newline at end of file From e1a68ea4a2c1d3d1eca2b0b48b8780942ab86401 Mon Sep 17 00:00:00 2001 From: Bikram Sharma Date: Fri, 24 Apr 2026 13:35:51 -0700 Subject: [PATCH 3/3] fix: Update sdist glob pattern for PEP 625 naming Newer setuptools normalizes package names using underscores instead of hyphens in sdist filenames (PEP 625). Update the glob pattern in source-build-check.sh to match both formats. --- test/source-build-check.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/source-build-check.sh b/test/source-build-check.sh index 1d6986a1..65f028cb 100755 --- a/test/source-build-check.sh +++ b/test/source-build-check.sh @@ -12,13 +12,13 @@ echo "Using working directory ${WORKINGDIR}" echo "Using dist directory ${DISTDIR}" echo "Locating the source build and copying it into the working directory." -DISTFILE=$(ls ${DISTDIR}/dynamodb-encryption-sdk-*.tar.gz | tail -1) +DISTFILE=$(ls ${DISTDIR}/dynamodb?encryption?sdk-*.tar.gz | tail -1) echo "Found source build at ${DISTFILE}" cp ${DISTFILE} ${WORKINGDIR} echo "Extracting the source build." cd ${WORKINGDIR} -NEWDISTFILE=$(ls dynamodb-encryption-sdk-*.tar.gz | tail -1) +NEWDISTFILE=$(ls dynamodb?encryption?sdk-*.tar.gz | tail -1) echo "Using distfile ${NEWDISTFILE}" tar xzvf ${NEWDISTFILE} rm ${NEWDISTFILE}