Dependecy Confusion via Lookup Request Forwarding to PyPi.org
Problem
See https://hackerone.com/reports/1681275 for a detailed explanation.
Proposal
As discussed with @nmalcolm via h1, we propose that the following adjustments should be made:
-
The insecure installation command suggested by the repository webpages should be replaced. Instead of --extra-index-url, the --index-url command line option should be chosen.
-
Forwarding of requests for unknown packages to pypi.org should be disabled by default. This setting can have dangerous side effects and should not be enabled by default. Administrators that understand the consequences could still enable the feature for their instance.