fix(deps): update dependency setuptools to v78 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
setuptools (changelog)	^75.1.0 → ^78.0.0

GitHub Vulnerability Alerts

CVE-2025-47273

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details

    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)

Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946

---

Release Notes

pypa/setuptools (setuptools)

v78.1.1

Compare Source

v78.1.0

Compare Source

v78.0.2

Compare Source

v78.0.1

Compare Source

v77.0.3

Compare Source

v77.0.1

Compare Source

v76.1.0

Compare Source

v76.0.0

Compare Source

v75.9.1

Compare Source

v75.9.0

Compare Source

v75.8.2

Compare Source

v75.8.1

Compare Source

v75.8.0

Compare Source

v75.7.0

Compare Source

v75.6.0

Compare Source

v75.5.0

Compare Source

v75.4.0

Compare Source

v75.3.3

Compare Source

v75.3.2

Compare Source

v75.3.1

Compare Source

v75.3.0

Compare Source

v75.2.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
examples.nameguard.io	Ready	Preview, Comment	Feb 2, 2026 3:34pm
nameai.io	Ready	Preview, Comment	Feb 2, 2026 3:34pm
namegraph.dev	Ready	Preview, Comment	Feb 2, 2026 3:34pm
nameguard.io	Ready	Preview, Comment	Feb 2, 2026 3:34pm
namehashlabs.org	Ready	Preview, Comment	Feb 2, 2026 3:34pm
namekit.io	Ready	Preview, Comment	Feb 2, 2026 3:34pm
storybook.namekit.io	Ready	Preview, Comment	Feb 2, 2026 3:34pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 58ed8fa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR