Skip to content

Enhancement: Do not allow pip to upgrade python core packages by default #4527

Closed
@GadgetSteve

Description

@GadgetSteve
  • Pip version: 9+
  • Python version: All
  • Operating system: All

Description:

As reported on: Hacker Noon it is possible for people to maliciously or accidentally register packages on pypi or other locations that would overwrite the default packages installed with python. These could be downloaded directly or via requires in other packages.

Some installations on some OSs do provide a degree of protection via the user permissions on the packages.

While it is sometimes necessary to upgrade the packages shipped by default with python, (such as pip or ssl recently), it would be an enhancement for pip to refuse to work, with a nice clear error message on any package that overwrites the default packages unless the user specifies a specific override at invocation.

This could be achieved by having a list of the packages that are present by default for each current version of python and filtering processing based on the list for the version being run against.

Possibly --allow-core-overwrite might be a suitable flag to disable this behaviour.

Metadata

Metadata

Assignees

No one assigned

    Labels

    auto-lockedOutdated issues that have been locked by automationresolution: invalidInvalid issue/PR

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions