The team logo
Daily Brief Changelog
v0.7

Article Details

Scrape Timestamp (UTC): 2025-02-03 12:34:18.914

Source: https://thehackernews.com/2025/02/pypi-introduces-archival-status-to.html

Original Article Text

Click to Toggle View

PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages. The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security. "Maintainers can now archive a project to let users know that the project is not expected to receive any more updates," Facundo Tuesca, senior engineer at Trail of Bits, said. In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected. That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues. In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project's status to downstream consumers. PyPI also recommends that package developers release a final version prior to archival by updating the project description to warn users and to include alternatives as replacement. The development comes shortly after PyPI rolled out the ability to quarantine projects, allowing administrators to mark a project as potentially suspicious and prevent it from being installed by other users to prevent further harm. In November 2024, PyPI administrators quarantined the Python library aiocpa after a new update was found to include malicious code designed to exfiltrate private keys via Telegram. Since August of last year, approximately 140 projects have been quarantined and subsequently removed from the registry barring one. "Having this intermediary stage enables PyPI Admins to create more safety for end users, protecting end users quicker by PyPI Admins removing a suspicious package from being installed, while allowing further investigation," PyPI Admin Mike Fiedler said. "Since project removal from PyPI is a destructive action, creating a quarantine state allows for restoring a project if deemed a false positive report without destroying any of the project's history or metadata."

Daily Brief Summary

CYBERCRIME // PyPI Enhances Security with New Project Archival Feature

PyPI has introduced a new feature enabling developers to archive Python packages, signaling no future updates or security fixes.

Archived projects will still be accessible on PyPI for installation, but will be clearly marked as no longer maintained.

This move aims to enhance supply chain security by informing users about the status of the packages they are using.

PyPI recommends releasing a final version of a package prior to archival, including a warning in the project description and suggesting alternative packages.

Additionally, PyPI has implemented a quarantine mechanism to prevent the installation of potentially malicious packages and allow time for further investigation.

In November 2024, the library "aiocpa" was quarantined due to malicious code aimed at stealing private keys via Telegram; approximately 140 projects have been quarantined since the feature's implementation.

Quarantine status offers a balance by protecting users while allowing potential restoration of falsely flagged projects, preserving their history and data.