vendor dependency jaraco.context 5.3.0 has high severity security issue GHSA-58pv-8j8x-9vj2

[danielwiegand]

setuptools' current version has jaraco.context 5.3.0 as a vendor dependency: https://github.com/pypa/setuptools/tree/main/setuptools/_vendor/jaraco.context-5.3.0.dist-info

However, this version of jaraco.context has a high severity security issue: GHSA-58pv-8j8x-9vj2

I currently do not know how to deal with this, as an upgrade to the latest version 6.1.0 is not possible via poetry etc. Any ideas?

[jaraco]

The security issue doesn't affect Setuptools, as Setuptools doesn't consume the affected behavior. The patched version can be updated and a new version of Setuptools released. Also, I'm pretty sure that Setuptools will prefer the installed version of dependencies over vendored ones. On Wed, Jan 14, 2026 at 08:57, Daniel W ***@***.******@***.***>> wrote: setuptools' current version has jaraco.context 5.3.0 as a vendor dependency: https://github.com/pypa/setuptools/tree/main/setuptools/_vendor/jaraco.context-5.3.0.dist-info However, this version of jaraco.context has a high severity security issue: GHSA-58pv-8j8x-9vj2<https://github.com/advisories/GHSA-58pv-8j8x-9vj2> I currently do not know how to deal with this, as an upgrade to the latest version 6.1.0 is not possible via poetry etc. Any ideas? — Reply to this email directly, view it on GitHub<#5136>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AACLLAQ34UQTV6L7C7DBZM34GZDLNAVCNFSM6AAAAACRVQXWPKVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZZGM2DGMZSHE>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jee4nc]

Hi @jaraco opened PR #5137 updating the vendored jaraco.context dependency to address this. Let me know if any additional changes are needed - happy to help!

[jaraco]

An issue was filed as #5138. Closing discussion.