python icon indicating copy to clipboard operation
python copied to clipboard
verified publisher icon docker-library

Please update pip to at least version of pip 25.2

Open combro2k opened this issue 3 months ago • 5 comments

There is a 5 day old reported vulnerability: https://github.com/advisories/GHSA-4xh5-x5gv-qwph Can you please update python 3.12 based images with pip version at least 25.2? To be specific the -slim one :-)

combro2k avatar Sep 29 '25 10:09 combro2k

These images by design use the pip/setuptools versions that are bundled with the version of Python being installed.

Python 3.11 comes with setuptools v65.5.0: https://github.com/python/cpython/tree/3.11/Lib/ensurepip/_bundled

So this is expected, and not something that will be changed in these images. (Updating to setuptools 70+ would be a breaking change for a start.)

You will either need to either:

  1. Update to Python 3.12 or newer (which no longer bundles setuptools)
  2. Update setuptools in your own Dockerfile
  3. Ask upstream CPython to update to newer setuptools in Python 3.11
  4. Suppress the vulnerability alert if appropriate (you didn't say what vulnerability you were referring to, but it's quite possible it's a non-issue in practice - many setuptools codepaths are not used when it's used as a pip build backend, or need several other criteria to be a problem etc)

See also:

See: https://github.com/docker-library/python/issues/1012#issuecomment-2736331135

Therefore you should raise that request upstream, or update yourself.

ad-m-ss avatar Sep 29 '25 12:09 ad-m-ss

Hi @ad-m-ss I see that for 3.13 the bundled pip was updated to 25.3 last week https://github.com/python/cpython/tree/3.13/Lib/ensurepip/_bundled

Seems like this change isn't going through for the built image, as 3.13 still has pip 25.1 even though it was recently re-built.

Can we please re-open the issue? Or would you prefer to have a new one specifically for 3.13 and pip 25.3?

Thanks

mabecke avatar Nov 10 '25 16:11 mabecke

What do you mean by re-open? I do not have authority to close / open anything here, and it looks it was never closed. I am just watching and know a little policies.

ad-m-ss avatar Nov 10 '25 17:11 ad-m-ss

If you look at https://github.com/python/cpython/commit/9a3a1479880ef82f4da04484181097edb01ac1b6, you'll see that it's not part of any release tags yet (you can compare that to an older commit like https://github.com/python/cpython/commit/1ba09b2f0445eb80fd255ee2d9cbbdc859e0bb41 which was included in 3.13.6+ to see what I mean), so that means it should be part of the next 3.13 release.

See also https://github.com/python/cpython/compare/v3.13.9...3.13 for a full list of what might be in that next release (comparing the latest release tag, v3.13.9 to that in-progress 3.13 release branch).

tianon avatar Nov 10 '25 18:11 tianon

(As a matter of process: if that stays for the release and doesn't get reverted, the bump will happen automatically as part of / with the release bump.)

tianon avatar Nov 10 '25 18:11 tianon