Home 零对冲(ZeroHedge)每日HackerNews

Show HN:Pipask – 更安全的 pip,且不影响便利性
Show HN: Pipask – safer pip without compromising convenience

原始链接: https://github.com/feynmanix/pipask

Pipask 是一个比 pip 更安全的 Python 包安装替代方案,它在不牺牲便利性的前提下优先考虑安全性。它可以作为 pip 的直接替代品,拦截安装请求并在继续安装之前执行安全检查。与 pip 不同,pipask 利用 PyPI 元数据来避免不必要的代码执行,只有在绝对必要时才提示用户同意。 它会验证指定包的仓库流行度(GitHub/GitLab 星星数)、包/版本年龄、已知漏洞(使用 OSV.dev)、下载统计数据以及元数据完整性(许可证、开发状态、已撤回状态)。对于依赖项,它会检查漏洞。如果所有检查都通过并且安装获得批准,pipask 会将安装任务交给标准 pip。 使用方法与 pip 完全相同(例如,`pipask install requests`)。为了方便起见,可以将 `pip` 设为 `pipask` 的别名。你也可以使用 `pipask install --dry-run` 预览检查结果而无需实际安装。如果需要,可以使用 `python -m pip` 来绕过 pipask 并使用原生的 pip。Pipask 使用 PyPI API、下载统计数据以及来自外部来源的仓库/漏洞数据来提供全面的安全评估。

Hacker News 上出现了一个更安全的 pip 替代品 Pipask。它解决了标准 pip 的一个安全漏洞:标准 pip 会在没有任何警告的情况下执行来自源码分发的任意代码。Pipask 通过 PyPI 的 JSON API 获取元数据,在安装前检查代码库的流行度、下载次数、包的年龄和漏洞,并需要用户同意。 讨论的焦点包括:鉴于 uv 等更全面的依赖项解析器的存在,一个只解决此漏洞的工具是否有用;是否需要更新 PyPI 以要求发布依赖项元数据以避免运行代码;以及 pyproject.toml 是否已经解决了这个问题。一些人建议将 Pipask 的功能作为 uv 或 poetry 的插件来实现。 用户还要求改进漏洞报告,特别是链接到 Python 包安全漏洞数据库中的安全公告并显示已修复版本的相关信息。创建者正在考虑为缺乏超链接支持的终端添加可见的 URL,并承认了编码代理和 CI/CD 管道的用例,并建议后者使用 lockfiles。还有一个类似的工具 Packj 被提及,它利用静态和动态代码分析。
相关文章
  • (评论) 2025-03-14
  • (评论) 2025-03-26
  • Pyinfra:使用 Python 自动化基础设施 2024-05-01
  • (评论) 2025-03-17
  • Uv:Rust 中的 Python 封装 2024-02-16
    • 原文

    A safer way to install Python packages without compromising convenience. pipask-demo

    Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved.

    See the introductory blog post for more information.

    The recommended way to install pipask is with pipx to isolate dependencies:

    Alternatively, you can install it using pip:

    Use pipask exactly as you would use pip:

    pipask install requests
pipask install 'fastapi>=0.100.0'
pipask install -r requirements.txt

    For maximum convenience, alias pip to point to pipask:

    Add this to your shell configuration file (~/.bashrc, ~/.bash_profile, ~/.zshrc, etc.). You can always fall back to native pip with python -m pip if needed.

    To run checks without installing, use the --dry-run flag:

    pipask install requests --dry-run

    Pipask performs these checks before allowing installation:

    • Repository popularity - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars)
    • Package and release age - warning for new packages (less than 22 days old) or stale releases (older than 365 days)
    • Known vulnerabilities in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)
    • Number of downloads from PyPI in the last month (warning below 1000 downloads)
    • Metadata verification: Checks for license availability, development status, and yanked packages

    All checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.

    Under the hood, pipask:

    1. Uses PyPI's JSON API to retrieve metadata without downloading or executing code
    2. When code execution is unavoidable, asks for confirmation first
    3. Collects security information from multiple sources:
      • Download statistics from pypistats.org
      • Repository popularity from GitHub or GitLab
      • Vulnerability details from OSV.dev
      • Attestation metadata from PyPI integrity API
    4. Presents a formatted report and asks for consent
    5. Hands over to standard pip for the actual installation if approved

    See CONTRIBUTING.md for development guidance.

    联系我们 contact @ memedata.com