We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent local and upstream supply chain attacks that deliver compromised packages via a non-PyPI domain.
Add a trusted-domains config option with reasonable defaults, like pypi.org, files.pythonhosted.org, etc.
trusted-domains
pypi.org
files.pythonhosted.org
Users could setup firewall rules for pip to block corrupt dependency paths.
170,000 Python users were impacted in this attack: https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/
I'm hopeful that we can mitigate such an attack!
The text was updated successfully, but these errors were encountered:
No branches or pull requests
What's the problem this feature will solve?
Prevent local and upstream supply chain attacks that deliver compromised packages via a non-PyPI domain.
Describe the solution you'd like
Add a
trusted-domains
config option with reasonable defaults, likepypi.org
,files.pythonhosted.org
, etc.Alternative Solutions
Users could setup firewall rules for pip to block corrupt dependency paths.
Additional context
170,000 Python users were impacted in this attack: https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/
I'm hopeful that we can mitigate such an attack!
Code of Conduct
The text was updated successfully, but these errors were encountered: