Default env created by the installer should have option to skip setuptools

[ramki88]

          on reflection if you're talking specifically about the environment in which poetry is installed by the installer - you could try raising a feature request in https://github.com/python-poetry/install.python-poetry.org

it seems plausible that this environment doesn't need setuptools at all, maybe the installer should always pass the --no-setuptools flag to virtualenv at environment creation

Originally posted by @dimbleby in python-poetry/poetry#8240 (comment)

[metasyn]

Yes, this would be great. Today we found out that we have a CVE against setuptools that we needed to upgrade. This means we need to run an additional command to upgrade the setuptools in the venv that poetry uses itself.

[joejonespushsecurity]

There's another vuln (CVE-2024-6345) in setuptools. It'd be great if could have the option to exclude the package from installation OR if you we have some way of dictating the version installed. Happy to contribute if you point me in the right direction/allow that 👍

[dimbleby]

install.python-poetry.org/install-poetry.py

Line 316 in 6027c8e

def make(cls, target: Path) -> "VirtualEnvironment":

looks to be where the environment is created

I believe that since python 3.12 both venv and virtualenv default to not including setuptools, so you might prefer just to use a recent python.

[joejonespushsecurity]

@dimbleby Thanks for the info!

Yeah I've seen a few people suggesting that on other posts. Only issue with that is that it's a bigger change to make. But I will probably look to do that in the near future anyway to get rid of this issue completely 👍