ExLisper@linux.community to Programmer Humor@lemmy.mlEnglish · 1 year agoPackage managers be likelinux.communityimagemessage-square162fedilinkarrow-up1395arrow-down188file-text
arrow-up1307arrow-down1imagePackage managers be likelinux.communityExLisper@linux.community to Programmer Humor@lemmy.mlEnglish · 1 year agomessage-square162fedilinkfile-text
minus-squareSpaceNoodle@lemmy.worldlinkfedilinkarrow-up64arrow-down9·1 year agonpm is objectively worse. Base pip packages aren’t getting hijacked.
minus-squareRedscare867@lemmy.mllinkfedilinkEnglisharrow-up21·1 year agoMaybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?
minus-square_stranger_@lemmy.worldlinkfedilinkarrow-up5arrow-down1·1 year agoI believe that was just name squatting.
minus-squarefragment@lemmy.worldlinkfedilinkarrow-up5·1 year agoIt’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606 For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.
npm is objectively worse. Base pip packages aren’t getting hijacked.
Maybe I’m misremembering, but didn’t pip have it’s own security concerns earlier this year?
I believe that was just name squatting.
It’s less the name squatting and more pip not supporting a certain PyPI resolution order: https://github.com/pypa/pip/issues/8606
For example, I have A, B and C in my requirements.txt but I want to install C from my own private PyPI. Everything works fine until someone uploads a package name C to the public PyPI then suddenly I’m not installing my private package anymore.