[python:3.10.13-alpine3.18] CVE-2018-20225 and CVE-2022-40897

[rajatnt]

CVE-2018-20225 and CVE-2022-40897, are found in pip:23.0.1 and setuptools:65.5.0 respectively.

These packages - pip:23.0.1 and setuptools:65.5.0 are part of python:3.10.13.

Is there a way/fix we could consider making in the docker file for fixing these vulnerabilities by upgrading them to the near latest version for these packages?

[yosifkit]

We rarely update the tools versions from what is included in the given python release (#781 (comment)) since that often can be breaking changes. Though for setuptools, we made the rare exception and already addressed that one where it wouldn't cause a major setuptools version bump: #783.

As for CVE-2018-20225, that one is disputed that it even is a vulnerability (see also https://bugzilla.redhat.com/show_bug.cgi?id=1835736).