From ec6acea055bdd8f5121fa9f0e110e168db6c9876 Mon Sep 17 00:00:00 2001
From: Michael Hucka <mhucka@google.com>
Date: Wed, 30 Jul 2025 14:05:05 -0700
Subject: [PATCH] Replace use of exec with runpy

`setup.py` uses `exec` to read the version number from the version file. It's generally considered best practice to avoid `exec` because of risks it carries. In this particular case, we can borrow the technique used in Cirq's `setup.py`, and use the Python `runpy` package.
---
 setup.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/setup.py b/setup.py
index 1cda4788d..2ad08845f 100644
--- a/setup.py
+++ b/setup.py
@@ -14,6 +14,7 @@
 
 import os
 import re
+import runpy
 import sys
 import shutil
 import platform
@@ -131,8 +132,9 @@ def build_extension(self, ext):
 # README file as long_description.
 long_description = open("README.md", encoding="utf-8").read()
 
-__version__ = ""
-exec(open("qsimcirq/_version.py").read())
+__version__ = runpy.run_path("qsimcirq/_version.py")["__version__"]
+if not __version__:
+    raise ValueError("Version string cannot be empty")
 
 setup(
     name="qsimcirq",