Skip to content

fix(python-multi): remove pip older than 25.3 #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
parthea merged 1 commit into from
Feb 9, 2026
Merged

fix(python-multi): remove pip older than 25.3 #525

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion python/googleapis/python-multi/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ RUN LATEST_VERSION="2.6.1" && \
dpkg -i cosign_${LATEST_VERSION}_amd64.deb && \
rm cosign_${LATEST_VERSION}_amd64.deb

ARG PYTHON_VERSIONS="3.10.19 3.11.14 3.12.12 3.13.11 3.14.0"
ARG PYTHON_VERSIONS="3.10.19 3.11.14 3.12.12 3.13.11 3.14.3"

SHELL ["/bin/bash", "-c"]

Expand Down Expand Up @@ -182,6 +182,10 @@ RUN rm -rf /usr/local/lib/python3.12/test/wheeldata/wheel-0.40.0-py3-none-any.wh
# See upstream bug https://github.com/python/cpython/issues/131860
RUN rm -rf /usr/local/lib/python3.10/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl

# TODO: Remove this code once a newer version of Python 3.11 is available
# There is no patch for CVE-2023-5752. We need to manually remove the vulnerable pip-24.0/pip-25.0.1 binary
RUN rm -rf /usr/local/lib/python3.11/ensurepip/_bundled/pip-24.0-py3-none-any.whl

# Install pip on Python 3.10 only.
# If the environment variable is called "PIP_VERSION", pip explodes with
# "ValueError: invalid truth value '<VERSION>'"
Expand Down Expand Up @@ -231,15 +235,23 @@ RUN for PYTHON_VERSION in 3.10 3.11; do \
# Remove bundled 0.45.1 wheel
# since it does not include a fix for CVE-2026-24049
&& rm -rf /usr/local/lib/python${PYTHON_VERSION}/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl \
# Remove bundled pip 25.0.1
# since it does not include a fix for CVE-2025-8869
&& rm -rf /usr/local/lib/python${PYTHON_VERSION}/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl \
; done

# Python 3.12 is preferred because it does not include
# a bundled version of setuptools in `Lib/ensurepip/_bundled`
# which could be impacted by CVE-2025-47273/CVE-2025-47273.
RUN python3.12 -m venv /venv
RUN /venv/bin/python -m pip install --upgrade pip
RUN /venv/bin/python -m pip install --no-cache-dir -r /requirements-3.12.txt
ENV PATH=/venv/bin:$PATH

# TODO: Remove this code once a newer version of Python 3.12 is available
# There is no patch for CVE-2023-5752. We need to manually remove the vulnerable pip-24.0/pip-25.0.1 binary
RUN rm -rf /usr/local/lib/python3.12/ensurepip/_bundled/pip-25.0.1-py3-none-any.whl

# TODO: Remove this code once there is a newer version of virtualenv which does not include setuptools 75.3.2
# https://github.com/pypa/virtualenv/tree/main/src/virtualenv/seed/wheels/embed
# In the interim, remove the bundled setuptools 75.3.2 wheel
Expand All @@ -250,6 +262,11 @@ RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/setup
# In the interim, remove the bundled wheel 45.1
# since it does not include a fix for CVE-2026-24049
RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl
# TODO: Remove this code once there is a newer version of virtualenv which does not include pip 25.0.1
# https://github.com/pypa/virtualenv/tree/main/src/virtualenv/seed/wheels/embed
# In the interim, remove the bundled wheel 25.0.1
# since it does not include a fix for CVE-2025-8869
RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl

# Setup Cloud SDK
ENV CLOUD_SDK_VERSION=555.0.0
Expand Down