Update setuptools requirement from >=42 to >=82.0.1

[dependabot]

Updates the requirements on setuptools to permit the latest version.

Changelog

Sourced from setuptools's changelog.

v82.0.1

Bugfixes

• Fix the loading of launcher manifest.xml file. (#5047)
• Replaced deprecated json.__version__ with fixture in tests. (#5186)

Improved Documentation

• Add advice about how to improve predictability when installing sdists. (#5168)

Misc

• #4941, #5157, #5169, #5175

v82.0.0

Deprecations and Removals

• pkg_resources has been removed from Setuptools. Most common uses of pkg_resources have been superseded by the importlib.resources <https://docs.python.org/3/library/importlib.resources.html>_ and importlib.metadata <https://docs.python.org/3/library/importlib.metadata.html>_ projects. Projects and environments relying on pkg_resources for namespace packages or other behavior should depend on older versions of setuptools. (#3085)

v81.0.0

Deprecations and Removals

• Removed support for the --dry-run parameter to setup.py. This one feature by its nature threads through lots of core and ancillary functionality, adding complexity and friction. Removal of this parameter will help decouple the compiler functionality from distutils and thus the eventual full integration of distutils. These changes do affect some class and function signatures, so any derivative functionality may require some compatibility shims to support their expected interface. Please report any issues to the Setuptools project for investigation. (#4872)

v80.10.2

Bugfixes

• Update vendored dependencies. (#5159)

Misc

... (truncated)

Commits

• 5a13876 Bump version: 82.0.0 → 82.0.1
• 51ab8f1 Avoid using (deprecated) 'json.version' in tests (#5194)
• f9c37b2 Docs/CI: Fix intersphinx references (#5195)
• 8173db2 Docs: Fix intersphinx references
• 09bafbc Fix past tense on newsfragment
• 461ea56 Add news fragment
• c4ffe53 Avoid using (deprecated) 'json.version' in tests
• 749258b Cleanup pkg_resources dependencies and configuration (#5175)
• 2019c16 Parse ext-module.define-macros from pyproject.toml as list of tuples (#5169)
• b809c86 Sync setuptools schema with validate-pyproject (#5157)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Medium Risk
Build tooling now requires a much newer setuptools, which could break builds/environments that relied on older versions or pkg_resources behavior.

Overview
Updates pyproject.toml build-system requirements to raise the minimum setuptools version from >=42 to >=82.0.1, ensuring builds use the newer packaging toolchain.

^{Reviewed by Cursor Bugbot for commit 11d3846. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how the project uses setuptools and scanning for pkg_resources or other compatibility concerns.

Verdict: benign

Why this is not malware

• Package identity: The change pins the build-system dependency to setuptools>=82.0.1 from pypa/setuptools on PyPI—the canonical project, not a typosquat.
• Scope of change: A Dependabot-style bump in pyproject.toml ([build-system] requires) does not add npm lifecycle scripts, vendor blobs, or unexpected workflow edits; the scanner reported 0 changed lockfiles and 0 changed node/vendor paths in the metadata you shared.
• Scanner “hard evidence”: The report shows unicode: [], confusable: [], ioc: []—no invisible-Unicode or indicator-of-compromise hits. status: warn with warn_only: true reflects noisy heuristics, not confirmed malware.
• Heuristic false positives: Matches like Require(..., homepage="http://example.com") in upstream test code, spawn/exec/subprocess in NEWS/docs, a blog.ganssle.io link in the changelog, and ghost_version_or_missing_tag / maintainer_drift on the requirement string are consistent with benign documentation and test patterns, not obfuscated payloads or C2.

Actionable follow-up (compatibility, not security): Setuptools 82 removes pkg_resources from setuptools; this repo’s own tree (outside .upstream-dependency) does not appear to rely on import pkg_resources for the VDF package. If any downstream tool or optional path still imports pkg_resources at build time, add an explicit dependency on setuptools<82 or migrate to importlib.metadata / importlib.resources—that is a breaking-change concern, not a compromise signal.

Compatibility Analysis

Searching the repo for setuptools usage and compatibility with setuptools 82 changes.

1) Where setuptools appears (this repo)

Location	Role
pyproject.toml	build-system.requires pins setuptools>=82.0.1; backend setuptools.build_meta; [tool.setuptools_scm] for versions
setup.py	from setuptools import Command, Extension, setup; setuptools.command.build / build_ext; custom Command / build_ext subclass; setup(...) with ext_modules and cmdclass
.github/workflows/build.yml	Comment about setuptools/cibuildwheel on Windows; lint/typecheck runs on setup.py
.github/workflows/codeql-analysis.yml, README.md	pip install lists that include build helpers (not a direct API surface)

Not used in project code: tests/ and src/ have no setuptools, pkg_resources, or distutils imports.

The .upstream-dependency/ tree is vendored upstream (setuptools itself) and is not part of chiavdf’s runtime/build logic for this analysis.

---

2) Overlap with setuptools 81–82 breaking changes

From the PR notes:

• pkg_resources removed from setuptools (v82) — No overlap: chiavdf does not import pkg_resources.
• setup.py --dry-run removed (v81) — No overlap in this repo’s workflows: no setup.py --dry-run; Rust workflow uses cargo publish --dry-run, which is unrelated.

setup.py uses stable, still-supported pieces: Extension, setup, Command, build / build_ext, and distribution.get_version() inside a custom build_ext. None of these are the pkg_resources removal.

---

3) Risks / unknowns

• Build isolation / pins: CI uses cibuildwheel and PEP 517 builds; they will install whatever satisfies pyproject.toml. Ensure pip / cibuildwheel / build can resolve setuptools>=82.0.1 with setuptools_scm[toml]>=3.5.0 and pybind11 (usually fine; any failure would show up as CI, not as silent runtime breakage).
• Downstream environments that still rely on import pkg_resources without declaring setuptools or setuptools’s old bundle are a general ecosystem issue, not something chiavdf’s sources do.
• Edge regression in setuptools itself is always possible; there is no project-specific API usage that flags a known incompatibility.

---

4) Recommendation

Merge (treat green CI on the PR as the main gate).

If CI fails, investigate resolver/build-backend issues first (versions of setuptools_scm, wheel, pip in the isolated build env) rather than chiavdf’s setup.py patterns, which do not hit the documented removals.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 8
• Resolution strategy: commit_list
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved refs: from=n/a to=n/a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 18

Top findings

• setuptools/tests/test_setuptools.py:124 dynamic_require_import :: req = Require('Tests', None, 'tests', homepage="http://example.com")
• docs/conf.py:189 shell_process_spawn :: ('py:func', 'distutils.spawn.find_executable'), # undocumented
• docs/conf.py:190 shell_process_spawn :: ('py:func', 'distutils.spawn.spawn'), # undocumented
• pyproject.toml:62 shell_process_spawn :: "pytest-subprocess",
• NEWS.rst:1988 shell_process_spawn :: to :func:compile the setup script code before :func:exec-ing it.
• NEWS.rst:3559 shell_process_spawn :: * #2368: In distutils, restore support for monkeypatched CCompiler.spawn per pypa/distutils#15.
• NEWS.rst:3613 shell_process_spawn :: * #2357: Restored Python 3.5 support in distutils.util for missing subprocess._optim_args_from_interpreter_flags.
• NEWS.rst:3707 shell_process_spawn :: * #2257: Fixed two flaws in distutils._msvccompiler.MSVCCompiler.spawn.
• NEWS.rst:3727 shell_process_spawn :: * #2212: (Distutils) Allow spawn to accept environment. Avoid monkey-patching global state.
• NEWS.rst:3758 shell_process_spawn :: * #2228: Applied fix for pypa/distutils#3, restoring expectation that spawn will raise a DistutilsExecError when attempting to execute a missing file.
• NEWS.rst:3798 shell_process_spawn :: To avoid getting any legacy behavior from the standard library, projects are advised to always "import setuptools" prior to importing anything from distutils. This behavior happens by default when using pip install or pep517.build. Workflows that rely on setup.py (anything) will need to first ensure setuptools is imported. One way to achieve this behavior without modifying code is to invoke Python thus: python -c "import setuptools; exec(open('setup.py').read())" (anything).
• NEWS.rst:5120 shell_process_spawn :: a subprocess.
• NEWS.rst:6891 shell_process_spawn :: for legacy SVN releases and support for SVN without the subprocess command
• NEWS.rst:7510 shell_process_spawn :: * Distribute #70: exec bit on non-exec files
• NEWS.rst:8087 shell_process_spawn :: * Added exhaustive testing of the install directory, including a spawn test
• NEWS.rst:3051 network_c2_indicator :: * #917: setup.py install and easy_install commands are now officially deprecated. Use other standards-based installers (like pip) and builders (like build). Workloads reliant on this behavior should pin to this major version of Setuptools. See Why you shouldn't invoke setup.py directly <https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html>_ for more background.
• setuptools:0 ghost_version_or_missing_tag :: >=82.0.1
• setuptools:0 maintainer_drift :: >=42->>=82.0.1