Discussion
Search code, repositories, users, issues, pull requests...
thewebguyd: I believe they are saying that by the time you need something like uv, your project already has too many dependencies. Its the unnecessarily large supply chain that's the problem, and uv exists to solve a problem that you should try to avoid in the first place.I think uv is great, but I somewhat agree. We see this issue with node/npm. We need smaller supply chains/less dependencies overall, not just bandaiding over the poor decisions with better dependency management tooling.
paulddraper: Python is genuinely a pleasant syntax and experience. [1]It's the closest language to pseudocode that exists.Like every other language from 1991, it has rough edges.[1] https://xkcd.com/353/
joshred: This is complete nonsense. pip has all the same problems that you say uv has.
charcircuit: The 2FA of whatever account is publishing the package. I'm pretty sure Pypi already has this figured out except they seem to allow you to make an API key which just bypasses checking a 2nd factor.
__mharrison__: Love it! Let those pip users find the compromised packages for us uv users.
bombcar: Until everyone waits 7 days to install everything so the compromise is discovered on the 8th day.End result will be everyone runs COBOL only.
woodruffw: Which account is publishing the package, in a CI/CD context? It's not clear that any particular account is, since the set of people who can trigger a workflow in CI/CD aren't necessarily (and in fact aren't often) the same set of people who can create an API token on PyPI.
ramimac: We haven't blogged this yet, but a variety of teams found this in parallel.The packages are quarantined by PyPiFollow the overall incident: https://ramimac.me/teampcp/#phase-10Aikido/Charlie with a very quick blog: https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-...ReversingLabs, JFrog also made parallel reports
Scaevolus: I'm glad there's many teams with automated scans of pypi and npm running. It elevates the challenge of making a backdoor that can survive for any length of time.
gonzalohm: Or just scan all GitHub repos, find their .toml definition. Calculate the median and then add 7 days to that. That way you are always behind.
zar1048576: :-) That might not even be enough as I hear (but haven't verified) that Claude does a pretty good job of making sense out of legacy COBOL code!
zar1048576: I have a feeling we're going to be seeing many more of these pop up in the coming days and weeks. If it's of interest to the HN community, we built a tool that pulls and scans dependencies, etc., and have open sourced it: https://point-wild.github.io/who-touched-my-packages/#quick-.... The tool can also do LLM analysis to look for nefarious indicators (e.g., data exfil, cryptocurrency theft, excessive code obfuscation, etc.)I do agree with the comments below (e.g., from mil22, jmward01, etc.) that practices like making sure you are at least N days behind or version pinning do help, albeit imperfectly.* Full disclosure, if it wasn't already clear from the above, my team / employer built it, but it's available under an MIT license.
