Bug report

Bug description:

Python 3.12 runtime includes a vulnerable version of setuptools (v67.6.1).
File location: /lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl

It is present in the final runtime layer, causing vulnerability scanners to flag the image with high-severity CVEs.

While this file is not actively used by a running application, its presence on the filesystem is sufficient for security scanners to detect and report these vulnerabilities.

for other versions also, we're seeing multiple setuptools versions installed along with the latest v80.9.0

• 3.9.23: v58.1.0
• 3.10.18, 3.11.13: v65.5.0
• 3.12.11, 3.13.4: v67.6.1

We wanted to know if this multiple setuptools installation behaviour is fixed in upcoming Python version upgrades.

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs

• [3.11] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135396
• [3.9] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135397
• [3.10] gh-135374: Update the bundled copy of setuptools to 79.0.1 #135398