Back to all posts
1 min readfrom InfoQ

Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks

Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks

Pip 26.1 ships dependency cooldowns that enforce a waiting period before newly published packages can be installed, and experimental pylock.toml lockfile support from PEP 751. Research shows a 7-day cooldown would have prevented 8 out of 10 analyzed supply chain attacks from reaching end users.

By Steef-Jan Wiggers

Want to read more?

Check out the full article on the original site

View original article

Tagged with

#rows.com
#Pip
#dependency cooldowns
#supply chain attacks
#experimental lockfile support
#pylock.toml
#PEP 751
#waiting period
#newly published packages
#7-day cooldown
#research
#end users
#attacks
#cooldown
#analyzed
#ship
#support
#prevented
#packages
#install