Y
Hacker News
new
|
ask
|
show
|
jobs
by
ed_balls
1815 days ago
The link describes the attack vector. pipenv locks the dependencies using hash. if you company has my-company-py-lib then pip could install public library that pretends to be internal.