On Thu, Feb 7, 2019, at 11:55 PM, Prateek Mohta wrote:
I wanted to check if the packages available on Pypi.org are scanned for any security vulnerabilities or not, can you please confirm.
As far as I know, they are not.
My concern is how do you control if someone uploads a malicious code on Github
The only real control that PyPI implements is that once someone claims a name, they (or other people they designate) control what code goes under that name. So if you 'pip install django', you can trust that you're getting the package uploaded by the maintainers of the official Django project.
New names can be claimed by anyone, including people who may have malicious intent. Sometimes people have uploaded malicious packages with names similar to popular packages, in the hope that people will make a typo and install the malicious code. These are removed when someone notices them (and some obvious names are now blocked), but there's no guarantee that PyPI is free of malicious packages.
In summary: PyPI is infrastructure to distribute Python packages. It doesn't try to answer the question "is this safe to install?"