You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Another possible "fundable": Many organizations maintain internal package repositories for libraries that are not publicly shared. This has led to "dependency confusion" attacks, where researchers or malicious actors register a package of the same name in the public (pypi) repository with a higher version number than what the organization publishes internally, causing the pip resolver to select that (malicious) package during package resolution.
While pip does offer other mechanisms to mitigate this attack (hashes and URL-based references being the two that come to mind), those mechanisms do have downsides (hashes still require trust-on-first-use, and URL-based references can be difficult to maintain for larger organizations operating multiple enclaves/private repositories). I'd love to see pip introduce a mechanism allowing users to specify specifically which repository to use for designated packages, vice the current mechanism of querying all configured repositories for the requested packages.
The text was updated successfully, but these errors were encountered:
Another possible "fundable": Many organizations maintain internal package repositories for libraries that are not publicly shared. This has led to "dependency confusion" attacks, where researchers or malicious actors register a package of the same name in the public (pypi) repository with a higher version number than what the organization publishes internally, causing the pip resolver to select that (malicious) package during package resolution.
While pip does offer other mechanisms to mitigate this attack (hashes and URL-based references being the two that come to mind), those mechanisms do have downsides (hashes still require trust-on-first-use, and URL-based references can be difficult to maintain for larger organizations operating multiple enclaves/private repositories). I'd love to see pip introduce a mechanism allowing users to specify specifically which repository to use for designated packages, vice the current mechanism of querying all configured repositories for the requested packages.
The text was updated successfully, but these errors were encountered: