New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report if a package is malicious or its version has been yanked #123

Open

keshav-space opened this issue Aug 22, 2024 · 0 comments

Labels

Member

keshav-space commented Aug 22, 2024

PyPI

PyPI removes all traces of the malicious package.
If a package version is deleted, it is properly marked as yanked. See the example https://pypi.org/pypi/apache-superset/json where version 2.1.1rc1 is marked as yanked.
Discussion on an index for packages that have been entirely removed from PyPI: https://discuss.python.org/t/an-index-for-deleted-pypi-packages-versions/50515

NPM

Npm removes all versions of a malicious package from the index and provides a placeholder package version 0.0.1-security. See the example https://registry.npmjs.org/gxm-reference-web-auth-server.
Npm also allows unpublishing (yanking) a package version within 72 hours see https://docs.npmjs.com/unpublishing-packages-from-the-registry.

Related: aboutcode-org/vulnerablecode#1533 (comment), aboutcode-org/vulnerablecode#1533 (comment)

The text was updated successfully, but these errors were encountered:

keshav-space added the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment