[ZeroAurora]

I personally treat it as a supply chain risk, as there are no longer any way to report any bugs and security problems.

[chrisjj]

Then why not provide one yourself?

[ZeroAurora]

Forking is a good option for companies, but not a good option for sole developers: one doesn't have that much energy.

Switching to other libraries like requests and aiohttp and supporting them by contributing is clearly a better option.

[nateb2022]

https://github.com/MarkusSintonen/pyreqwest is a great alternative, much more performant than requests/httpx/aiohttp, and provides an easy httpx compatible wrapper for migration.

[nijave]

No need. There are plenty of other active alternatives

[dchest]

How is _your_ supply chain a concern of this open source developer?

[ZeroAurora]

_My_ supply chain is not a big deal, lol. But this is HTTPX. A network library that has a considerable number of users.

When I say _considerable_, I'm essentially saying _nearly every_ big tech. The one I can tell for sure is OpenAI (not a fan of them though).

Remember xz attack?

[dchest]

Why can nearly every big tech take care of their supply chain? :)

Clearly, the maintainer doesn't want to do this job anymore, and it's not a requirement when releasing your code to also do stuff unrelated to programming.

[nijave]

The parent poster never said it was. They just claimed it's risky for them which I agree with