The Python Package Index (PyPI) has launched a new archival status feature, enabling package maintainers to mark projects as unmaintained, enhancing supply chain security and transparency within the Python ecosystem.
According to Facundo Tuesca, senior engineer at Trail of Bits, this feature allows maintainers to archive a project, clearly signaling that it will no longer receive updates, security patches, or feature enhancements. This move is designed to prevent developers from relying on outdated or potentially vulnerable libraries.
Despite being archived, users can still access and install these packages without restrictions. PyPI also suggests that developers release a final version before archiving and update project descriptions with alternative recommendations to help users transition to maintained libraries.
PyPI Enhances Security Measures
This new update follows PyPI’s recent introduction of project quarantining, a security measure that allows administrators to flag and restrict potentially harmful packages before their removal. This proactive approach aims to minimize risks and protect developers from malicious dependencies.
For instance, in November 2024, PyPI quarantined and later removed the Python library aiocpa, which contained malicious code designed to steal private keys via Telegram. Since August 2024, around 140 projects have been quarantined and subsequently removed, with only one exception.
Mike Fiedler, a PyPI Admin, emphasized that the quarantine feature acts as an intermediary step, ensuring swift protection for users while allowing further investigation before permanently removing a package. This approach prevents irreversible deletions while preserving metadata and historical records.
What This Means for Python Developers
Check for Archival Status: Developers should verify whether a package is archived before integrating it into projects.
Look for Alternatives: If a library is archived, seek actively maintained replacements.
Stay Updated on Security Practices: Follow PyPI’s recommendations and security alerts to minimize risks associated with outdated dependencies.
With these enhancements, PyPI continues its mission to fortify open-source software security, ensuring developers can trust the integrity of the Python ecosystem.