pip
Safeguard articles tagged "pip" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Reachability Analysis for Python and pip in 2026
Python reachability is hard but useful: dynamic dispatch, monkey-patching, optional extras, and how modern tools handle real Django and FastAPI services.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
Python Wheels vs Source Distributions: Security Implications
Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.
Python Packaging Authority and the Security of pip install
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
pip Install Hooks Security: The Python Packaging Backdoor
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Python Package Security Best Practices
Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.
Package Manager Security: npm, pip, and Maven Compared
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
pip Install Hooks Security Risks: Code Execution During Package Installation
Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.