"Michael Kennedy's Thoughts on Technology": Python Supply Chain Security Made Easy

Hackers have been attempting to inject malicious code into machines by exploiting open source software, which can also affect users of libraries or applications. Recently, there have been several high-danger PyPI security issues, including compromised package releases and fake packages designed to steal cloud access tokens. One example is the ultralytics package, which was compromised and contained code that downloaded a coinminer. Another example is a campaign of fake packages that stole cloud access tokens, with over 14,100 downloads before removal. To prevent such issues, Python's official package scanning technology, pip-audit, can be integrated into continuous integration and unit tests. Pip-audit checks against PyPA's official list of vulnerabilities and can be run on the command line or set up as a GitHub Action. It can also be added to a project's development dependencies or installed globally, and a unit test can be created to run pip-audit and fail if an issue is found. By adding a delay to upgrading dependencies, developers can reduce the risk of installing malicious packages, as issues are often reported and resolved within a few days. This can be achieved using uv's ability to put a delay on upgrading dependencies, such as excluding newer packages for a certain period of time. By combining pip-audit with a delay in upgrading dependencies, developers can add an extra layer of security to their workflow and reduce the risk of installing malicious packages. Overall, integrating pip-audit and adding a delay to upgrading dependencies can help prevent malicious packages from being installed and reduce the risk of security issues.