From a7bf4c49af056db78419837c461a230b9e32bf18 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 28 Dec 2022 10:39:22 -0500
Subject: [PATCH 1/3] _virtual_env: ensure setuptools is up-to-date

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 pip_audit/_virtual_env.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pip_audit/_virtual_env.py b/pip_audit/_virtual_env.py
index 39830eec..28b944e4 100644
--- a/pip_audit/_virtual_env.py
+++ b/pip_audit/_virtual_env.py
@@ -86,6 +86,7 @@ def post_setup(self, context: SimpleNamespace) -> None:
             "--upgrade",
             "pip",
             "wheel",
+            "setuptools",
         ]
         try:
             run(pip_upgrade_cmd, state=self._state)

From b5288496f006c44c905bf5410905d786108c2d98 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 28 Dec 2022 10:40:28 -0500
Subject: [PATCH 2/3] _virtual_env: add TODO

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 pip_audit/_virtual_env.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pip_audit/_virtual_env.py b/pip_audit/_virtual_env.py
index 28b944e4..d8be08f7 100644
--- a/pip_audit/_virtual_env.py
+++ b/pip_audit/_virtual_env.py
@@ -78,6 +78,8 @@ def post_setup(self, context: SimpleNamespace) -> None:
 
         # Firstly, upgrade our `pip` versions since `ensurepip` can leave us with an old version
         # and install `wheel` in case our package dependencies are offered as wheels
+        # TODO: This is probably replaceable with the `upgrade_deps` option on `EnvBuilder`
+        # itself, starting with Python 3.9.
         pip_upgrade_cmd = [
             context.env_exe,
             "-m",

From 89fc832dca4dc44a6a7b79bb52e54ab281801578 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Wed, 28 Dec 2022 12:13:45 -0500
Subject: [PATCH 3/3] CHANGELOG: record changes

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17e66a67..28aac0be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,12 @@ All versions prior to 0.0.9 are untracked.
 
 ## [Unreleased]
 
+### Fixed
+
+* Fixed `pip-audit`'s virtual environment creation and upgrade behavior,
+  preventing spurious vulnerability reports
+  ([#454](https://github.com/pypa/pip-audit/pull/454))
+
 ## [2.4.11]
 
 ### Fixed