Support for marking projects as archived has landed on PyPI. Maintainers can nowarchive a project to let users know that the project is not expected to receiveany more updates.
This allows users to make better decisions about which packages they depend on,especially regarding supply-chain security, since archived projects clearlysignal that no future security fixes or maintenance should be expected.
Project archival is not deletion: archiving a project does not remove it fromthe index, and does not prevent users from installing it. Archival is purelya
Support for archival is built on top of the project quarantine feature. Readmore about that feature in PyPI’s December 2024 blogpost. You can also findmore details about the project archival’s implementation on the Trail of Bitsblog.
Owners of a project can archive it by navigating to the project’s settings pageand scrolling down near the end to the following section:
As described in the warning message, archiving prevents new uploads to theproject. After archiving the project, users will see the following notice in theproject’s main PyPI page:
Maintainers are encouraged to make a final release before archiving, updatingthe project’s description with more context about the archival.
Finally, the project owners can always unarchive a project if needed.
Project archival is the first step in a larger project, aimed at improving thelifecycle of projects on PyPI. That project includes evaluating additionalproject statuses (things like “deprecated” and “unmaintained”), as well aschanges to PyPI’s public APIs that will enableclients to retrieve and act on project status information. You can track ourprogress on these fronts by following along withwarehouse#16844!
This feature was developed by Trail of Bits. Wewould like to thank the PyPI admins and maintainers, including MikeFiedler and DustinIngram, for their time and consideration throughout thedesign and development process.
The funding for this feature’s development comes fromAlpha-Omega. Alpha-Omega’s mission is to protectsociety by catalyzing sustainable security improvements to the most criticalopen-source software projects and ecosystems.
We are pleased to announce the release of the new Expense Submission flow! 🎉We’ve done…
Digital signatures add another layer of security to your online transactions and communications. But how…
Unfortunately the string of phishing attacks using domain-confusionand legitimate-looking emails continues. This is the same…
SummaryI recently responded to an attack campaign where malicious actors injected code into GitHub Actions…
Internet security is leveling up with MPIC. While your organization likely won’t need to do…
Sept. 10: Get actionable insights from 20+ global experts as they discuss PQC readiness assessments,…
This website uses cookies.