Suggestion - time to update the build toolkit? - virtualenv-20.29.1.tar.gz has some old packages like pip-19.1.1-py2.py3-none-any.whl

[3mek]

Hi all,
My 1st post and I am also not a python expert - please be understanding .

When looking into content of virtualenv-20.29.1.tar.gz file we can find virtualenv-16.7.9-py2.py3-none-any.whl. If you go deeper it reveals pip-19.1.1 (whl) and inside it more outdated packages.

When using some dumb security scanner - this ends up as a finding for certifi e.g. CVE-2022-23491, CVE-2023-37920

While it is just an inconvenience for me, it reveals that the build toolkit used to build the virtualenv-20.29.1.tar.gz might be quite outdated and not up to date with (not-so recent) security findings - maybe it is time to update it?

I may also be completely wrong - would be grateful to explain why then (maybe it is just a packaging 'problem').

Cheers,
Simon

[gaborbernat]

That file is only used in the tests for compatibility reasons with old virtualenv; not related to build toolkit at all.

[3mek]

Thank you for reply. I was not smart enough to actually find it the git repo :)
I guess it is just a bad idea to use virtualenv-20.29.1.tar.gz for any analysis.

[3mek]

I was curious - wasn't that usage removed here: 04af502#diff-b7c22df9c832b6ff3be0230851635d5ae84155c2e0ddad9df339907d04278c7bL43