Skip to content

build: upgrade Poetry to 2.4.1 and pin pip/setuptools/wheel#7726

Open
wtfiwtz wants to merge 2 commits into
getredash:masterfrom
orchestrated-io:build/poetry-pip-toolchain-upgrade
Open

build: upgrade Poetry to 2.4.1 and pin pip/setuptools/wheel#7726
wtfiwtz wants to merge 2 commits into
getredash:masterfrom
orchestrated-io:build/poetry-pip-toolchain-upgrade

Conversation

@wtfiwtz
Copy link
Copy Markdown

@wtfiwtz wtfiwtz commented Jun 2, 2026

What type of PR is this?

  • Refactor

Description

Upgrades Python build toolchain in the Dockerfile:

  • POETRY_VERSION: 2.1.4 → 2.4.1
  • Upgrade pip>=26.1, setuptools>=78.1.1, wheel>=0.46.2 before Poetry install

This ensures:

  1. Poetry 2.4.1 is installed with current features and fixes
  2. pip/setuptools/wheel are upgraded to versions with known security fixes:
    • setuptools>=78.1.1 remediates CVE-2025-47273 (path traversal in sdist extraction)
    • pip>=26.1 and wheel>=0.46.2 provide current patch levels

The pip/setuptools/wheel upgrade happens before the Poetry install to ensure Poetry itself is installed with secure build tooling.

How is this tested?

  • Manually (container rebuild with make compose_build required for full validation)

Related Tickets & Documents

Split from #7718 per @zachliu's review feedback to separate build toolchain upgrades from base image changes.

Part of the security vulnerability remediation work tracked in #7711.

Note

This PR is marked as draft until manual container testing is complete.

Made with Cursor

wtfiwtz and others added 2 commits June 2, 2026 10:05
@wtfiwtz @cursoragent
build: upgrade Poetry to 2.4.1 and pin pip/setuptools/wheel
7e65934 
- POETRY_VERSION: 2.1.4 → 2.4.1
- Upgrade pip>=26.1, setuptools>=78.1.1, wheel>=0.46.2 before Poetry install

This ensures:
1. Poetry 2.4.1 is installed with current features and fixes
2. pip/setuptools/wheel are upgraded to versions with known security fixes:
   - setuptools>=78.1.1 remediates CVE-2025-47273 (path traversal in sdist)
   - pip>=26.1 and wheel>=0.46.2 provide current patch levels

The pip/setuptools/wheel upgrade happens before the Poetry install to ensure
Poetry itself is installed with secure build tooling.

Related: split from getredash#7718
Co-authored-by: Cursor <cursoragent@cursor.com>
@wtfiwtz
Merge branch 'master' into build/poetry-pip-toolchain-upgrade
a2d33db
@wtfiwtz wtfiwtz marked this pull request as ready for review June 2, 2026 21:40
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@wtfiwtz wtfiwtz mentioned this pull request Jun 4, 2026
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz