PyPI to Launch Project Archival System to Prevent Malicious Updates

The Python Package Index (PyPI) is set to introduce a new “Project Archival” system, which will allow maintainers to archive projects and warn users that no further updates should be expected. According to the developers, archived projects will remain accessible on PyPI, but users will see a warning message designed to help them make informed decisions about relying on such dependencies.

This new feature aims to improve the security of the supply chain within the PyPI ecosystem. Compromising developer accounts and distributing malicious updates for popular but abandoned projects is a common tactic among attackers. By clearly marking archived projects, the system seeks to reduce the risk of users unknowingly depending on outdated and potentially unsafe packages.

Additionally, the archival system is expected to increase transparency and reduce the number of support requests from users by clearly communicating the status of each project. The warning is intended to inform developers that it may be time to look for alternative, actively maintained dependencies rather than relying on obsolete projects.

How the Archival System Works

According to experts at Trail of Bits, who developed the new archival system, maintainers will be able to mark their projects as archived and notify users that no updates, fixes, or support should be expected. If maintainers decide to resume work on a project, they can unarchive it at any time.

The new system uses the LifecycleStatus model, which was originally designed for quarantining projects. This model provides a mechanism for changing a project’s status, allowing it to move between different states. Trail of Bits has announced plans to add more statuses in the future, including “deprecated,” “feature-complete,” and “unmaintained.”