https://github.com/pyro-ppl/pyro/security/dependabot/1

To resolve the issue add a supported lockfile (Pipfile.lock, pyproject.lock or poetry.lock).

fritz: oh man we're using an old setuptools because lap requires it. I guess we can drop lap support; I doubt anyone but me ever used it, but I'd still prefer to follow a responsible deprecation process.