Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a warning about "dependency confusion" vulnerability #9647

Merged
merged 5 commits into from
Apr 3, 2021
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions docs/html/reference/pip_install.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1123,37 +1123,45 @@ Examples

py -m pip install --index-url http://my.package.repo/simple/ SomePackage

Search an additional index during install, in addition to `PyPI`_
Install from a local flat directory containing archives (and don't scan indexes):

.. tab:: Unix/macOS

.. code-block:: shell

python -m pip install --extra-index-url http://my.package.repo/simple SomePackage
python -m pip install --no-index --find-links=file:///local/dir/ SomePackage
python -m pip install --no-index --find-links=/local/dir/ SomePackage
python -m pip install --no-index --find-links=relative/dir/ SomePackage

.. tab:: Windows

.. code-block:: shell

py -m pip install --extra-index-url http://my.package.repo/simple SomePackage
py -m pip install --no-index --find-links=file:///local/dir/ SomePackage
py -m pip install --no-index --find-links=/local/dir/ SomePackage
py -m pip install --no-index --find-links=relative/dir/ SomePackage

Install from a local flat directory containing archives (and don't scan indexes):
Search an additional index during install, in addition to `PyPI`_

.. warning::

Using this option to search for packages which are not in the main
repository (such as private packages) is unsafe, per a security
vulnerability called "dependency confusion": an attacker can claim the
package on the public repository in a way that will ensure it gets
chosen over the private package.
vanschelven marked this conversation as resolved.
Show resolved Hide resolved

.. tab:: Unix/macOS

.. code-block:: shell

python -m pip install --no-index --find-links=file:///local/dir/ SomePackage
python -m pip install --no-index --find-links=/local/dir/ SomePackage
python -m pip install --no-index --find-links=relative/dir/ SomePackage
python -m pip install --extra-index-url http://my.package.repo/simple SomePackage

.. tab:: Windows

.. code-block:: shell

py -m pip install --no-index --find-links=file:///local/dir/ SomePackage
py -m pip install --no-index --find-links=/local/dir/ SomePackage
py -m pip install --no-index --find-links=relative/dir/ SomePackage
py -m pip install --extra-index-url http://my.package.repo/simple SomePackage


#. Find pre-release and development versions, in addition to stable versions. By default, pip only finds stable versions.
Expand Down
2 changes: 1 addition & 1 deletion docs/html/user_guide.rst
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ does not come with it included.

pip install keyring
echo your-password | keyring set pypi.company.com your-username
pip install your-package --extra-index-url https://pypi.company.com/
pip install your-package --index-url https://pypi.company.com/

.. _keyring: https://pypi.org/project/keyring/

Expand Down
1 change: 1 addition & 0 deletions news/9647.doc.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add warning about --extra-index-url and dependency confusion
vanschelven marked this conversation as resolved.
Show resolved Hide resolved