Skip to content

Update --extra-index-url usage in repository webpages

What does this MR do and why?

A fix for Issue #384253 (closed).

This MR changes --extra-index-url to --index-url in order to prevent users from using the first command without understanding its security implications. Since using -extra-index-url can lead to dependency confusion (for further details see: https://hackerone.com/reports/1681275), this change increases users' security while using GitLab.

Furthermore, forwarding of requests for unknown packages to pypi.org should be disabled by default. This setting can have dangerous side effects and should not be enabled by default. Administrators that understand the consequences could still enable the feature for their instance. Even though the option to disable "PyPi Forwarding" is described in the documentation, it is a feature that can only be configured with a "Premium" subscription. Users with a "Free" subscription cannot disable "PyPi Forwarding". Therefore to strengthen security, the GitLab Team might consider adding this option to the "Free" tier of GitLab.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports