PyPI has completed its second audit
20 hours ago
- #Security Audit
- #PyPI
- #Open Source
- PyPI has completed its second external security audit, funded by the Sovereign Tech Agency.
- The audit, conducted by Trail of Bits, focused on PyPI's codebase and identified 14 findings.
- Findings include 2 High, 1 Medium, 7 Low, and 3 Informational severity issues, with most remediated.
- Notable remediated issues include a missing permission check allowing organization members to invite owners and cleanup of stale team-project associations after transfers.
- Two findings were accepted as low-risk but requiring significant effort to fix: IP ban bypass via API tokens and lack of validation between uploaded and embedded metadata.
- The audit also provided proposal reviews and custom CodeQL queries for future security integration.
- Support for the work came from Alpha-Omega, enabling rapid remediation by the PSF role holder.