Y
Hacker News
new
|
ask
|
show
|
jobs
by
dharmab
1268 days ago
My team is using Poetry.
Did you know pip can execute arbitrary code when installing packages?
2 comments
uranusjr
1268 days ago
Just fyi Poetry is still using pip under the hood. Also (unrelated to Poetry’s pip usage) if you ever build a dependency from source (the situation where pip executes arbitrary code), Poetry also executes arbitrary code.
link
teruakohatu
1268 days ago
I use poetry but regardless as soon as you import a library arbitrary code is executed.
link