build(deps): update setuptools requirement from ~=75.6.0 to ~=82.0.0

[dependabot]

Updates the requirements on setuptools to permit the latest version.

Changelog

Sourced from setuptools's changelog.

v82.0.0

Deprecations and Removals

• pkg_resources has been removed from Setuptools. Most common uses of pkg_resources have been superseded by the importlib.resources <https://docs.python.org/3/library/importlib.resources.html>_ and importlib.metadata <https://docs.python.org/3/library/importlib.metadata.html>_ projects. Projects and environments relying on pkg_resources for namespace packages or other behavior should depend on older versions of setuptools. (#3085)

v81.0.0

Deprecations and Removals

• Removed support for the --dry-run parameter to setup.py. This one feature by its nature threads through lots of core and ancillary functionality, adding complexity and friction. Removal of this parameter will help decouple the compiler functionality from distutils and thus the eventual full integration of distutils. These changes do affect some class and function signatures, so any derivative functionality may require some compatibility shims to support their expected interface. Please report any issues to the Setuptools project for investigation. (#4872)

v80.10.2

Bugfixes

• Update vendored dependencies. (#5159)

Misc

• #5115, #5128

v80.10.1

Misc

• #5152

v80.10.0

Features

• Remove post-release tags on setuptools' own build. (#4530)
• Refreshed vendored dependencies. (#5139)

... (truncated)

Commits

• 03f3615 Bump version: 81.0.0 → 82.0.0
• 530d114 Merge pull request #5007 from pypa/feature/remove-more-pkg_resources
• 11efe9f Merge branch 'maint/75.3'
• 118f129 Bump version: 75.3.3 → 75.3.4
• 90561ff Merge pull request #5150 from UladzimirTrehubenka/backport_cve_47273
• 4595034 Add news fragment.
• fc00800 Merge pull request #5171 from cclauss/ruff-v0.15.0
• 127e561 Remove tests reliant on pkg_resources, rather than xfailing them.
• 64bc21e Reference the superseding libraries.
• cf1ff45 Merge branch 'main' into debt/pbr-without-pkg_resources
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	setuptools@​75.6.0 ⏵ 82.0.0		+16

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): pypi setuptools is 100.0% likely to have a medium risk anomaly Notes: The code fragment appears to be an environment-detection helper tailored for macOS/Homebrew Python setups. It does not exhibit explicit malicious behavior but is fragile, relies on private CPython attributes, and contains an incomplete/possibly corrupted return path in scheme(), which could lead to runtime errors or misconfigurations in packaging workflows. The combination of relying on external tooling (brew), and macOS-specific assumptions poses supply-chain and reliability risks. Recommend treating as suspicious until corrected and thoroughly unit-tested in target environments. Confidence: 1.00 Severity: 0.60 From: requirements.txt → pypi/setuptools@82.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi setuptools is 100.0% likely to have a medium risk anomaly Notes: The fragment demonstrates a legitimate packaging workflow but relies on executing an external setup script via exec, which is a high-risk pattern in supply chain contexts when inputs are untrusted. The code also contains clear quality issues (undefined USAGE, truncated return), suggesting it's incomplete or corrupted. If used with trusted inputs, risk is mitigated; if exposed to untrusted setup.py, arbitrary code execution is possible. The primary actionable risk is the exec path with untrusted input; provenance controls and isolation are essential. Overall, treat this fragment as dangerous in insecure contexts and incomplete in current form. Confidence: 1.00 Severity: 0.60 From: requirements.txt → pypi/setuptools@82.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/setuptools@82.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report