Warning: Some posts on this platform may contain adult material intended for mature audiences only. Viewer discretion is advised. By clicking ‘Continue’, you confirm that you are 18 years or older and consent to viewing explicit content.
For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.
Yeah, I remember now. the name squatting was from people putting malicious packages under misspelled names of well known packages, like “requets” instead of requests.
Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?
I believe that was just name squatting.
It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606
For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.
Yeah, I remember now. the name squatting was from people putting malicious packages under misspelled names of well known packages, like “requets” instead of requests.