Pinning wheel at version 0.46.3 by caheinz2 · Pull Request #1124 · docker-library/python · GitHub
Skip to content

Pinning wheel at version 0.46.3#1124

Open
caheinz2 wants to merge 1 commit into
docker-library:masterfrom
caheinz2:master
Open

Pinning wheel at version 0.46.3#1124
caheinz2 wants to merge 1 commit into
docker-library:masterfrom
caheinz2:master

Conversation

@caheinz2

@caheinz2 caheinz2 commented Jun 15, 2026

Copy link
Copy Markdown

wheel <= 0.46.1 currently has a high severity CVE, and the version pinned in this repo is affected. The pin was originally due to wheel 0.46.0 removing bdist_wheel, but it was later re-added in 0.46.2, with a related fix in 0.46.3. Would it be possible to pin at 0.46.3 now, since the version fixes the CVE and won't break earlier versions of setuptools?

Related issues:
CVE-2026-24049 for wheel <=0.46.1
wheel 0.46.0 release had breaking changes

@caheinz2

caheinz2 commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Author

tianon
tianon reviewed Jun 16, 2026
View reviewed changes
Comment thread versions.json Outdated
Comment on lines +9 to +28

@tianon tianon Jun 16, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping setuptools is a no-go, but the wheel bump is probably fine?

@caheinz2 caheinz2 Jun 17, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah fair enough - I'll revert the setuptools bump.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tianon tianon tianon left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caheinz2 @tianon