Bug report

Bug description:

Python 3.12 runtime includes a vulnerable version ofsetuptools (v67.6.1).
File location: /lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl

It is present in the final runtime layer, causing vulnerability scanners to flag the image with high-severity CVEs.

While this file is not actively used by a running application, its presence on the filesystem is sufficient for security scanners to detect and report these vulnerabilities.

for other versions also, we're seeingmultiple setuptools versions installed along with the latestv80.9.0

• 3.9.23:v58.1.0
• 3.10.18, 3.11.13:v65.5.0
• 3.12.11, 3.13.4:v67.6.1

We wanted to know if this multiple setuptools installation behaviour is fixed in upcoming Python version upgrades.

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs

• [3.11] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135396
• [3.9] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135397
• [3.10] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135398
• [3.11] gh-135374: Adjust test for setuptools' replacement of distutils #138796
• [3.10] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139303
• [3.9] gh-135374: Adjust test for setuptools' replacement of distutils (GH-138796) #139304