• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
pypi introduces archival status to alert users about unmaintained python

PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages

You are here: Home / General Cyber Security News / PyPI Introduces Archival Status to Alert Users About Unmaintained Python Packages
February 3, 2025

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security.

“Maintainers can now archive a project to let users know that the project is not expected to receive any more updates,” Facundo Tuesca, senior engineer at Trail of Bits, said.

In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues.

In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project’s status to downstream consumers.

PyPI also recommends that package developers release a final version prior to archival by updating the project description to warn users and to include alternatives as replacement.

The development comes shortly after PyPI rolled out the ability to quarantine projects, allowing administrators to mark a project as potentially suspicious and prevent it from being installed by other users to prevent further harm.

In November 2024, PyPI administrators quarantined the Python library aiocpa after a new update was found to include malicious code designed to exfiltrate private keys via Telegram.

Cybersecurity

Since August of last year, approximately 140 projects have been quarantined and subsequently removed from the registry barring one.

“Having this intermediary stage enables PyPI Admins to create more safety for end users, protecting end users quicker by PyPI Admins removing a suspicious package from being installed, while allowing further investigation,” PyPI Admin Mike Fiedler said.

“Since project removal from PyPI is a destructive action, creating a quarantine state allows for restoring a project if deemed a false positive report without destroying any of the project’s history or metadata.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «⚡ thn weekly recap: top cybersecurity threats, tools and tips ⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [27 February]
Next Post: 768 CVEs Exploited in 2024, Reflecting a 20% Increase from 639 in 2023 768 cves exploited in 2024, reflecting a 20% increase from»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.