Show HN: Pipask – safer pip without compromising convenience

52 points

a year ago

Pipask is a drop-in replacement for pip that addresses a serious security flaw: standard pip executes arbitrary code from source distributions during dependency resolution, without warning or consent.

Pipask retrieves metadata through PyPI's JSON API first, then checks repository popularity, download counts, package age, and known vulnerabilities before allowing installation. It presents you with a pretty report and asks for you consent with installation, giving you control over what code runs on your system.

More details in the intro blog post: https://medium.com/data-science-collective/pipask-know-what-...

38 comments