[captn3m0]

Now I am curious at whether these ZIP confusion attacks are mitigated at other registries that use ZIPs? Are there any such?

[calebbrown]

Apart from Python Wheels, the other popular ecosystems using zip files are Java jar files, and NuGet.

Of these Java is the most interesting as there a few JDKs commonly in use.

But I’m also interested in various security scanners that are built in other languages that can be fooled.

[zahlman]

Does NPM not use zip files?

(Search results for `npm package format` are entirely not useful for figuring out what an NPM package actually consists of, beyond containing a `package.json` file. `pypi package format` results look wildly different; the first result I get is https://packaging.python.org/en/latest/discussions/package-f... which is quite comprehensive about the exact information I want — disregarding for a moment the fact that I already know this stuff ;) The NPM search results, for me, start with a Geeks4Geeks tutorial on creating a package. Is there even anything analogous to the Python Packaging Authority — misunderstood and not-actually-authoritative as it is — for NPM?)

[pornel]

npm and Cargo use gzipped tarballs.

Tar is an awful format that has multiple ways of specifying file names and file sizes, so there could be some shenanigans happening.

It's also possible to make archives have different content based on case-sensitivity of the file system.

[zahlman]

Ah. Python source distributions are the same, so there may be additional considerations there. Though in general it doesn't seem like there's much concern in the Python ecosystem about that, considering that building them will run arbitrary code anyway....