Safeguard
Tag

pip

Safeguard articles tagged "pip" — guides, analysis, and best practices for software supply chain and application security.

8 articles

Application Security

Reachability Analysis for Python and pip in 2026

Python reachability is hard but useful: dynamic dispatch, monkey-patching, optional extras, and how modern tools handle real Django and FastAPI services.

Feb 26, 20266 min read
Open Source Security

pip's Version-Based Resolution and the Origin of Dependen...

CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.

Dec 3, 20257 min read
Engineering

Python Wheels vs Source Distributions: Security Implications

Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.

Nov 27, 20246 min read
Open Source Security

Python Packaging Authority and the Security of pip install

Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.

Sep 15, 20237 min read
Software Supply Chain Security

pip Install Hooks Security: The Python Packaging Backdoor

Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.

Aug 18, 20234 min read
Dependency Security

Python Package Security Best Practices

Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.

Nov 18, 20225 min read
Supply Chain Security

Package Manager Security: npm, pip, and Maven Compared

Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.

Oct 8, 20228 min read
Software Supply Chain Security

pip Install Hooks Security Risks: Code Execution During Package Installation

Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.

Aug 8, 20224 min read
pip — Safeguard Blog