Skip to content

Commit 6eb4256

Browse files
committed
fix(setup): fix uv-ffi pip subprocess isolation during editable install
During `pip install -e .`, setuptools runs setup.py inside an isolated build venv whose PYTHONPATH/PYTHONHOME override the real environment's site-packages, causing `python3 -m pip` to fail with 'No module named pip' even when pip is installed correctly in the target env. - Resolve real env Python via CONDA_PREFIX/VIRTUAL_ENV env vars instead of probing pip/pip3 executables or walking sys.executable - Strip PYTHONPATH, PYTHONHOME, and __PYVENV_LAUNCHER__ from the subprocess env before invoking pip install - Add build/install debug prints for dispatcher and uv-ffi stages - Refactor OptionalBuildExt and platform detection out of the SKIP_C_EXTENSIONS else-block so cmdclass is always defined - Clean up pyproject.toml: remove stale TODO comments, add uv vendor target/crates dirs to setuptools exclude list, add missing newline at EOF
1 parent 0a5cd81 commit 6eb4256

3 files changed

Lines changed: 213 additions & 107 deletions

File tree

licenses/cryptography-wasm.txt

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
License for cryptography-wasm
2+
=====================================
3+
4+
License file not found in package distribution.
5+
6+
Package information:
7+
https://pypi.org/project/cryptography-wasm/
8+
9+
To view package metadata:
10+
pip show cryptography-wasm

pyproject.toml

Lines changed: 9 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -87,19 +87,13 @@ dependencies = [
8787
"aiohttp>=3.8.6,<3.9.0; python_version == '3.7'", # Last Py3.7 version (20 known CVEs)
8888
"aiohttp>=3.10.11,<3.11.0; python_version == '3.8'", # Last Py3.8 version (9 known CVEs)
8989
"aiohttp>=3.13.5; python_version >= '3.9'", # Latest with all patches
90-
#aiohttp-lts on to-do list for pythons 3.7 and 3.8
9190

9291
# cryptography - version split by Python
93-
# Python 3.7: stuck at 45.0.7 (upstream dropped 3.7 before 46.x)
94-
# CVEs unresolved: CVE-2026-26007 (HIGH), CVE-2026-34073 (LOW), CVE-2026-39892 (MODERATE)
95-
# TODO: cryptography-lts needed for py37 to backport fixes landing in 46.0.5–46.0.7
96-
"cryptography>=46.0.7 ; python_version >= '3.8' and platform_system != 'Emscripten'", # fully patched
97-
"cryptography>=45.0.7,<46.0 ; python_version == '3.7' and platform_system != 'Emscripten'", # UNSAFE: 3 open CVEs, best available
92+
"cryptography>=46.0.7 ; python_version >= '3.8' and platform_system != 'Emscripten'",
93+
"cryptography>=45.0.7,<46.0 ; python_version == '3.7' and platform_system != 'Emscripten'",
9894
"cryptography-wasm>=42.0.2 ; platform_system == 'Emscripten'",
9995

10096
# Security scanning
101-
# safety moved to optional 'audit' extra due to CVE-2025-14009 in nltk dependency
102-
# pip-audit is now the primary default scanner for all versions
10397
"pip-audit>=2.0.0",
10498

10599
# uv
@@ -110,10 +104,9 @@ dependencies = [
110104
"urllib3>=2.6.3; python_version >= '3.10'",
111105

112106
# Flask CVE floor for CVE-2026-27205
113-
# TODO: flask-lts needed for py37/py38 to backport CVE-2026-27205
114-
"flask>=3.0.3; python_version == '3.8'", # stuck - upstream dropped 3.8 before 3.1.x
115-
"flask>=2.2.5; python_version == '3.7'", # stuck - upstream dropped 3.7 before 3.1.x
116-
"flask>=3.0.3; python_version >= '3.9'", # latest available, CVE-2026-27205 unpatched until 3.1.3 lands
107+
"flask>=3.0.3; python_version == '3.8'",
108+
"flask>=2.2.5; python_version == '3.7'",
109+
"flask>=3.0.3; python_version >= '3.9'",
117110

118111
# Flask-CORS for interactive docs
119112
"flask-cors>=3.0,<4.0; python_version < '3.8'",
@@ -123,11 +116,10 @@ dependencies = [
123116

124117
[project.optional-dependencies]
125118
full = [
126-
"tqdm>=4.67.1", # CVE-2024-34062 patched
119+
"tqdm>=4.67.1",
127120
"python-magic>=0.4.18",
128121
"redis>=4.0.0,<5.0; python_version == '3.7'",
129122
"redis>=5.0; python_version >= '3.8'",
130-
# Includes audit tools
131123
"safety>=3.7.0; python_version >= '3.10' and python_version < '3.14'",
132124
"marshmallow>=4.1.2; python_version >= '3.10'",
133125
]
@@ -159,6 +151,8 @@ exclude = [
159151
"dist*",
160152
"*.egg-info*",
161153
"dev_tools*",
154+
"omnipkg._vendor.uv.target*",
155+
"omnipkg._vendor.uv.crates*",
162156
]
163157

164158
[tool.setuptools.package-data]
@@ -174,4 +168,4 @@ license-files = ["LICENSE", "COMMERCIAL_LICENSE.md"]
174168
include-package-data = true
175169

176170
[tool.pytest.ini_options]
177-
continue_on_collection_errors = true
171+
continue_on_collection_errors = true

0 commit comments

Comments
 (0)