cp: Bump setuptools >= 80.10.1 and wheel >= 0.46.2 (#1822) into r0.5.0

[chtruong814]

What does this PR do ?

cp: Bump setuptools >= 80.10.1 and wheel >= 0.46.2 (#1822) into r0.5.0

Issues

List issues that this PR closes (syntax):

Usage

• You can potentially add a usage example below

# Add a code snippet demonstrating how to use this

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you run the unit tests and functional tests locally? Visit our Testing Guide for how to run tests
• Did you add or update any necessary documentation? Visit our Document Development Guide for how to write, build and test the docs.

Additional Information

• ...

Summary by CodeRabbit

Chores

• Build system and development dependencies updated to latest compatible versions. No changes to application functionality or public interfaces. The updated dependencies provide enhanced compatibility with modern development tools and improved stability across different development environments and configurations, resulting in more reliable builds, smoother development workflows, and better overall system performance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the build system dependencies in pyproject.toml, specifically bumping the wheel requirement from unspecified to version 0.46.2 or higher, and adding setuptools version 80.10.1 or higher as an override dependency.

Changes

Cohort / File(s)	Summary
Build Dependencies pyproject.toml	Updated build-system requires from wheel to wheel>=0.46.2; added setuptools>=80.10.1 to override-dependencies; added wheel>=0.46.2 to constraint-dependencies

Possibly related PRs

• NVIDIA-NeMo/RL\build: Bump setuptools >= 80.10.1 and wheel >= 0.46.2 #1822: Also updates pyproject.toml to bump setuptools and wheel build tool dependencies to the same versions.

Suggested labels

CI:L1, cherry-pick, Run CICD, r0.5.0

Suggested reviewers

• terrykong

---

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping setuptools and wheel dependency versions in the pyproject.toml file, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	PR contains only minor changes - version bumps to build tool dependencies in pyproject.toml with no functional code modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@pyproject.toml`:
- Line 229: Add an inline explanatory comment above the dependency line
"setuptools>=80.10.1" describing why this specific setuptools minimum is
required (e.g., fixes a known build/runtime bug, compatibility with a particular
plugin, or to match CI/build tool requirements), modeled after the other
override comments in the section so future readers understand the rationale and
can safely update or remove it.
- Line 2: The override for setuptools (setuptools>=80.10.1) in
override-dependencies is missing an explanatory comment and may need alignment
with build-system requires; add a concise comment next to the
setuptools>=80.10.1 entry that documents the reason (security fix, compatibility
with build backends, or bug/feature in that setuptools release) and, if the
reason affects packaging or build-time behavior, update build-system.requires to
setuptools>=80.10.1 as well; also cross-reference any related entry in
constraint-dependencies (e.g., wheel>=0.46.2) if a CVE or issue number exists so
reviewers can trace the rationale.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

setuptools 80.10.1 security vulnerability CVE fixes

💡 Result:

• Setuptools 80.10.1: public vulnerability databases (e.g., Snyk) report no known direct vulnerabilities affecting 80.10.1. [1]

Key CVEs you may see in scanners, but they’re already fixed in 80.10.1 (because it’s much newer than the fixed versions):

• CVE-2025-47273 (Path Traversal in PackageIndex): affects setuptools < 78.1.1; fixed in 78.1.1 (so 80.10.1 is not affected). [2][3]
• CVE-2024-6345 (RCE via package_index download functions): affects setuptools up to 69.1.1; fixed in 70.0 (so 80.10.1 is not affected). [4]
• CVE-2022-40897 (DoS via inefficient regex when fetching malicious HTML): affects setuptools < 65.5.1; fixed in 65.5.1 (so 80.10.1 is not affected). [5]

If you share the exact CVE IDs your tool flags, I can map each one to the minimum safe setuptools version and why it’s being reported.

---

🏁 Script executed:

#!/bin/bash
# Search for commit messages, changelog entries, or comments explaining the setuptools bump
git log --oneline -20 -- pyproject.toml 2>/dev/null | head -10
git log -1 --format="%B" 2>/dev/null | head -50
fd -e md -e txt -e rst -i changelog | xargs grep -l "setuptools\|80.10.1" 2>/dev/null || echo "No changelog found"
grep -n "80.10.1\|80\.10\.1" pyproject.toml 2>/dev/null

Repository: NVIDIA-NeMo/RL

Length of output: 291

---

🏁 Script executed:

#!/bin/bash
# Read lines around line 2 (build-system), 229 (override-dependencies), and 238 (constraint-dependencies)
echo "=== Lines 1-10 (build-system section) ==="
sed -n '1,10p' pyproject.toml

echo -e "\n=== Lines 220-240 (override-dependencies section) ==="
sed -n '220,240p' pyproject.toml

echo -e "\n=== Context: What is override-dependencies used for? ==="
head -50 pyproject.toml | grep -A 5 -B 5 "override-dependencies" || grep -B 10 "override-dependencies" pyproject.toml | head -20

Repository: NVIDIA-NeMo/RL

Length of output: 2445

---

Add explanation for setuptools>=80.10.1 override requirement.

The setuptools>=80.10.1 entry in override-dependencies lacks an explanatory comment, unlike the other overrides above it. Additionally, unlike wheel>=0.46.2 which has a CVE reference in constraint-dependencies, the setuptools bump has no documented reason. Clarify why this override is necessary and consider whether the build-system requires should also be updated to setuptools>=80.10.1 if it addresses a functional or compatibility issue.

🤖 Prompt for AI Agents

In `@pyproject.toml` at line 2, The override for setuptools (setuptools>=80.10.1)
in override-dependencies is missing an explanatory comment and may need
alignment with build-system requires; add a concise comment next to the
setuptools>=80.10.1 entry that documents the reason (security fix, compatibility
with build backends, or bug/feature in that setuptools release) and, if the
reason affects packaging or build-time behavior, update build-system.requires to
setuptools>=80.10.1 as well; also cross-reference any related entry in
constraint-dependencies (e.g., wheel>=0.46.2) if a CVE or issue number exists so
reviewers can trace the rationale.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Verify setuptools version on PyPI
curl -s "https://pypi.org/pypi/setuptools/80.10.1/json" | jq -r '.info.version // "Version not found"'

Repository: NVIDIA-NeMo/RL

Length of output: 65

---

🏁 Script executed:

# Check pyproject.toml context around line 229
cat -n pyproject.toml | sed -n '220,240p'

Repository: NVIDIA-NeMo/RL

Length of output: 1170

---

Add explanatory comment for setuptools override.

The setuptools version 80.10.1 exists on PyPI, but this override-dependency lacks an explanatory comment unlike the others above it (lines 225-228). Add a comment explaining why version 80.10.1 is required.

🤖 Prompt for AI Agents

In `@pyproject.toml` at line 229, Add an inline explanatory comment above the
dependency line "setuptools>=80.10.1" describing why this specific setuptools
minimum is required (e.g., fixes a known build/runtime bug, compatibility with a
particular plugin, or to match CI/build tool requirements), modeled after the
other override comments in the section so future readers understand the
rationale and can safely update or remove it.