Skip to content

feat(toolchains): backport 20260325/20260414 Python toolchains for 2.0.2 (#3708)#3775

Merged
aignas merged 2 commits into
bazel-contrib:release/2.0from
kevinpark1217:backport-toolchains-3708-release-2.0
May 20, 2026
Merged

feat(toolchains): backport 20260325/20260414 Python toolchains for 2.0.2 (#3708)#3775
aignas merged 2 commits into
bazel-contrib:release/2.0from
kevinpark1217:backport-toolchains-3708-release-2.0

Conversation

@kevinpark1217
Copy link
Copy Markdown
Contributor

@kevinpark1217 kevinpark1217 commented May 14, 2026
edited
Loading

Backports the Python toolchain bumps from #3708 to release/2.0 so the 2.0.x series can pick up the high-severity CVE fixes (CVE-2025-13836, CVE-2026-24049, CVE-2026-23949) described in #3773 without requiring a major-version migration. Adds MINOR_MAPPING entries for 3.10.20, 3.11.15, 3.12.13, 3.13.{12,13}, 3.14.{3,4}, 3.15.0a8 and a new 2.0.2 CHANGELOG.md section.

Before: release/2.0 ships 3.10.19 / 3.11.14 / 3.12.12 / 3.13.11 / 3.14.2, which bundle the vulnerable interpreter + setuptools/pkg_resources.

After: release/2.0 ships the patched 20260325 / 20260414 python-build-standalone archives. CHANGELOG gains a 2.0.2 section.

Commits:

  • feat(toolchains): Add 3.10.20, 3.11.15, ... — cherry-pick of feat(toolchains): Add 3.10.20, 3.11.15, 3.12.13, 3.13.{12,13} 3.14.{3,4}, 3.15.0a8 #3708 (6dac0f6d). CHANGELOG.md bullets placed under a new 2.0.2 section instead of Unreleased. The examples/wheel/ hunk is kept verbatim because the new interpreters drop setuptools/pkg_resources, breaking the previously-pinned pypiserver==2.0.1.
  • ci: update RBE toolchain version from ubuntu2204 to ubuntu2404 (#3778) — cherry-pick of 32527de8. Needed to unbreak RBE jobs (RBE provider dropped the ubuntu2204 toolchain). MODULE.bazel conflict resolved by taking only the rules_cc 0.1.5 → 0.2.17 bump; the unrelated package_metadata bazel_dep from main is skipped.

Fixes #3773.

This was referenced May 14, 2026
Merged
Merged
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Python toolchains by adding several new versions (3.10.20, 3.11.15, 3.12.13, 3.13.12, 3.13.13, 3.14.3, 3.14.4, and 3.15.0a8) from the 20260325 and 20260414 releases. It also updates the MINOR_MAPPING to these latest versions and adjusts the get_release_info logic in python/versions.bzl to handle build string formatting for freethreaded platforms based on the release ID. I have no feedback to provide.

@kevinpark1217 kevinpark1217 force-pushed the backport-toolchains-3708-release-2.0 branch from e682635 to ebb09da Compare May 14, 2026 13:45
@kevinpark1217 kevinpark1217 mentioned this pull request May 14, 2026
Open
@pjjw @kevinpark1217
feat(toolchains): Add 3.10.20, 3.11.15, 3.12.13, 3.13.{12,13} 3.14.{3…
503bf8b 
…,4}, 3.15.0a8 (#3708)

This updates the Python version mappings to include the latest released
versions.

(cherry picked from commit 6dac0f6)
@kevinpark1217 kevinpark1217 force-pushed the backport-toolchains-3708-release-2.0 branch from ebb09da to 503bf8b Compare May 18, 2026 09:53
@kevinpark1217 kevinpark1217 mentioned this pull request May 18, 2026
Closed
aignas
aignas approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aignas aignas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@aignas aignas merged commit 6aad882 into bazel-contrib:release/2.0 May 20, 2026
4 checks passed
pull Bot pushed a commit to garymm/rules_python that referenced this pull request May 20, 2026
@kevinpark1217
docs: split toolchain bumps from bazel-contrib#3708 into 2.0.2 and 1.…
dc9c1ab 
…9.1 changelog sections (bazel-contrib#3777)

Per [@aignas's
comment](bazel-contrib#3773 (comment))
on bazel-contrib#3773, moves the toolchain bullets that bazel-contrib#3708 added under
`Unreleased` into dated `2.0.2` and `1.9.1` sections so the next release
from `main` doesn't re-announce them.

**Before:** Bullets sit under `Unreleased` on `main`.

**After:** New `## [2.0.2] - 2026-05-14` section between `Unreleased`
and `2.0.1`, and a new `## [1.9.1] - 2026-05-14` section between `2.0.0`
and `1.9.0`. Bullet text is reused verbatim.

Companion PRs:
- bazel-contrib#3775 — backport bazel-contrib#3708 to `release/2.0` (2.0.2)
- bazel-contrib#3776 — backport bazel-contrib#3708 to `release/1.9` (1.9.1)

Refs bazel-contrib#3773.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aignas aignas aignas approved these changes

@rickeylev rickeylev Awaiting requested review from rickeylev rickeylev is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kevinpark1217 @aignas @pjjw @meteorcloudy