Python setuptools needs to be updated to 78.1.1 or later to address CVE-2025-47273

[aaronmaxlevy]

CVE-2025-47273 is a high severity vulnerability in setuptools involving path traversal leading to arbitrary file writing.

Currently, protobuf is pinned to setuptools version 70.3.0 which is vulnerable. setuptools should be updated to 78.1.1 or later in order to address this.

[jguamie]

We cannot update in place without breaks. Do you have recommendations on what we should be migrating to?

[aaronmaxlevy]

We cannot update in place without breaks. Do you have recommendations on what we should be migrating to?

So setuptools definitely should be updated, but the issue that is causing the build failure seems to be related to bazelbuild/bazel#4327 and/or bazel-contrib/rules_python#617 .

In theory, updating from Bazel 7.2.1 to 7.4.0 should fix this, except that I just tried that locally and it still didn't work. I will continue to look into this further, but essentially execroot/com_google_protobuf/external/protobuf_pip_deps_setuptools/site-packages/setuptools/_vendor/jaraco/text/Lorem ipsum.txt is missing because it isn't getting copied properly due to a space being present in the filename. This being despite the fact that in theory, this should work as of Bazel 7.4.0.

Definitely warrants further investigation

[aaronmaxlevy]

Actually, @jguamie — updating Bazel to 7.4.0 may fix it after all. I just updated my PR with that change and hopefully the tests will run and have a better outcome than before (if not all passing) :)

Oddly, it was still erroring out on my Mac, but I tried building with 7.4.0 on a linux machine, and it was successful :)

[aaronmaxlevy]

Ugh — scratch that, I can only get it working locally if I manually use the standalone spawn mode instead of sandboxed.

Seems like this is a newly discovered Bazel bug, so I filed bazelbuild/bazel#26255 with them.

[aaronmaxlevy]

I've added an sh_binary wrapper to my code as suggested by the Bazel team at bazelbuild/bazel#26255 (comment) . This change fixed the build locally for me, so I am optimistic that this will work, but we'll see if/when the tests run.