|
|
|
|
|
|
by oblvious-earth
535 days ago
|
|
|
If you're concerned about dependency confusion attacks you should host your own index and vet what goes on to it. But there is a better solution coming, PEP 708 was developed for this and is in prototype on pypi.org, so it's an overstatement to say "don't even have a way to avoid dependency confusion attacks ". It is, however, a non-trivial problem, and more solutions will likely come over the years, many Python packaging tools like uv and poetry (and likely others) have way to name indexes and pin specific packages to indexes, which appears to be a promising UX. |
|
|