From c149b76ad6df1e2a07b7eda42d1c7fdf7f5a4110 Mon Sep 17 00:00:00 2001
From: Jeremy Frasier <jeremy.frasier@trio.dhs.gov>
Date: Tue, 15 Nov 2022 09:18:59 -0500
Subject: [PATCH] Add a lower bound for the version of setuptools

This is done in response to a recently-discovered vulnerability in
setuptools:
- https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904
- pypa/setuptools#3659
- https://cwe.mitre.org/data/definitions/1333.html
---
 requirements.txt | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 0a8547b..bb43744 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,7 @@
-setuptools
+# setuptools<65.5.1 has an inefficient regex vulnerability that
+# *could* lead to DoS:
+# - https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904
+# - pypa/setuptools#3659
+# - https://cwe.mitre.org/data/definitions/1333.html
+setuptools>=65.5.1
 wheel