Created to check if private repository libraries have a matching public pypi index library name.
Designed to prevent a dependency confusion attack on the PyPi ecosystem.
Example of attacks:
- Install
pip install pvpcheck
- Mark private repository libraries before lines containing the import statements and after lines containing the import statements.
In a requirements.txt file
# check-private-packages-below-for-public-doppelgaenger
os
pandas
example-private-repository-name
# end-of-private-packages
In a file_name.py file
import os
import pandas
# check-private-packages-below-for-public-doppelgaenger
import example-private-repository-name
# end-of-private-packages
- Run from the command line and provide the path to the file.
% pvpcheck -r requirements.txt
If public libraries are found that match your private repository library you will get a response like:
WARNING: doppelgaengers found for the following library: pandas
Note: the term doppelgaenger means a biologically unrelated look-alike, or a double, of a living person. I use it here to mean a matching public library that is unrelated to your private library.