You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was wondering whether the poetry team has thoughts about adding a pre-add or pre-install sanitation step where one could run any audit tool for SAST. With typosquatting and account hijacking becoming more tangible and serious nowadays, moving ahead with the current way of installing packages would induce a threat for every user.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi all,
I was wondering whether the poetry team has thoughts about adding a pre-add or pre-install sanitation step where one could run any audit tool for SAST. With typosquatting and account hijacking becoming more tangible and serious nowadays, moving ahead with the current way of installing packages would induce a threat for every user.
Discussions like https://github.com/orgs/python-poetry/discussions/9252 and https://github.com/orgs/python-poetry/discussions/9262 sparked some thoughts and I was really hoping to see effort on the side of PyPi and package installers such as Poetry to secure the ecosystem.
The question would also phrased in the setting: is this something the package/dependency manager should be responsible for and in to which extend?
Open for debate:
Here i'm open for suggestions before moving on to setup a POC and submit a PR for this idea.
Beta Was this translation helpful? Give feedback.
All reactions