dep_conf
v9.1.2
Published
This is a private repository to reproduce dependency confusion attack. Intented to be pulled by artifactory.
Downloads
5
Readme
To reproduce dependency confusion.
For instance, the main culprit of Python dependency confusion appears to be the incorrect usage of an “insecure by design” command-line argument called --extra-index-url. When using this argument with the pip install library to specify your own package index, you may find that it works as expected, but what pip is actually doing behind the scenes goes something like this
Checks whether library exists on the specified (internal) package index
Checks whether library exists on the public package index (PyPI)
Installs whichever version is found. If the package exists on both, it defaults to installing from the source with the higher version number.