Mailman 3 - pypi-announce

PyPI Users Email Phishing Attack
by Mike Fiedler July 31, 2025

July 31, 2025

(also posted to https://blog.pypi.org/posts/2025-07-28-pypi-phishing-attack/ ) (Ongoing, preliminary report) PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site. Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled: ``` [PyPI] Email verification ``` from the email address noreply(a)pypj.org. Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org. This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI. The email instructs users to follow a link to verify their email address, which leads to a phishing site that looks like PyPI but is not the official site. The user is prompted to log in, and the requests are passed back to PyPI, which may lead to the user believing they have logged in to PyPI, but in reality, they have provided their credentials to the phishing site. PyPI Admins are looking into a few methods of handling this attack, and want to make sure users are aware of the phishing attempt while we investigate different options. There is currently a banner on the PyPI homepage to warn users about this phishing attempt. Always inspect the URL in the browser before logging in. We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent them regarding the phishing site. If you have received this email, do not click on any links or provide any information. Instead, delete the email immediately. If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account's Security History for anything unexpected.

2 1

Deprecation of PyPI XMLRPC Methods
by Ee Durbin Sept. 26, 2024

Sept. 26, 2024

The following PyPI XMLRPC methods are being permanently deprecated: list_packages package_releases release_urls release_data See our docs <https://warehouse.pypa.io/api-reference/xml-rpc.html#deprecated-methods> for alternatives. These methods have seen continued excess traffic that requires a full transit to our backends to service. Given that we have had them marked as deprecated for years, and they are continuing to cause availability issues for the service, it is time for them to go. This deprecation will rollout over the next three weeks via rolling brownout, this allows us to gradually "notify" users who are not subscribed to pypi-announce <https://mail.python.org/mailman3/lists/pypi-announce.python.org/> and to provide some time to work around for users who need time to migrate. Brownout windows: September 5th - September 12th :00-:10 every hour September 12th - September 19th :00-:15 and :30-:40 every hour September 19th - September 26th :00-20 and :30-:50 every hour September 26th onward Deprecated methods are fully disabled See https://github.com/pypi/warehouse/issues/16642 to follow along with developments as this deprecation progresses. -Ee Durbin Director of Infrastructure Python Software Foundation

2 1

2FA Requirement for PyPI now live
by Mike Fiedler Jan. 1, 2024

Jan. 1, 2024

Hello, As previously announced, PyPI now requires a form of Two-factor Authentication (2FA) for all users. Today’s blog post <https://blog.pypi.org/posts/2024-01-01-2fa-enforced/> contains more details. Thank you for your continued efforts to make PyPI more secure for everyone. -- -Mike Fiedler, PyPI <https://pypi.org/> Safety & Security Engineer Python Software Foundation <https://www.python.org/psf-landing/>

1 0

2FA Requirement for PyPI 2024-01-01
by Mike Fiedler Dec. 11, 2023

Dec. 11, 2023

Hello, PyPI has been on the path of making Two-factor Authentication a reality for PyPI, which began in 2019. Read more about some of the steps taken in recent months on the PyPI Blog: - https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/ - https://blog.pypi.org/posts/2023-06-01-2fa-enforcement-for-upload/ - https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/ - https://blog.pypi.org/posts/2023-12-06-2fa-enforcement-on-testpypi/ PyPI Admins will activate the requirement for PyPI.org on Jan 1, 2024 for all users, all projects. (If we're off by a few hours in any direction, our apologies. Exact timing is not yet available.) Read more in the Help section <https://pypi.org/help/#twofa>. If you are no longer responsible for a PyPI account that publishes packages, please forward details along to someone who does, so they are not caught unaware. All the best, -Mike Fiedler, PyPI <https://pypi.org/> Safety & Security Engineer Python Software Foundation <https://www.python.org/psf-landing/>

1 0

pip 20.3 release (heads-up for potential disruption)
by Sumana Harihareswara Nov. 30, 2020

Nov. 30, 2020

On behalf of the Python Packaging Authority, I am pleased to announce that we have just released pip 20.3, a new version of pip. You can install it by running `python -m pip install --upgrade pip`. This is an important and disruptive release -- we explained why in a blog post last year https://pyfound.blogspot.com/2019/12/moss-czi-support-pip.html . We even made a video about it: https://www.youtube.com/watch?v=B4GQCBBsuNU . Blog post with details: https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html Highlights include: * **DISRUPTION**: Switch to the new dependency resolver by default. Watch out for changes in handling editable installs, constraints files, and more: https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res… * **DEPRECATION**: Deprecate support for Python 3.5 (to be removed in pip 21.0) * **DEPRECATION**: pip freeze will stop filtering the pip, setuptools, distribute and wheel packages from pip freeze output in a future version. To keep the previous behavior, users should use the new `--exclude` option. * Support for PEP 600: Future ‘manylinux’ Platform Tags for Portable Linux Built Distributions. * Add support for MacOS Big Sur compatibility tags. The new resolver is now *on by default*. It is significantly stricter and more consistent when it receives incompatible instructions, and reduces support for certain kinds of constraints files, so some workarounds and workflows may break. Please see our guide on how to test and migrate, and how to report issues: https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res… . You can use the deprecated (old) resolver, using the flag `--use-deprecated=legacy-resolver`, until we remove it in the pip 21.0 release in January 2021. In pip 21.0 we will also remove support for Python 2.7. You can find more details (including deprecations and removals) in the changelog https://pip.pypa.io/en/stable/news/ , and you can find thank-yous and instructions on reporting issues at https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html . Thank you, Sumana Harihareswara pip project manager Changeset Consulting https://changeset.nyc

1 0

upgrade to pip 20.2 -- plus changes coming in 20.3
by Sumana Harihareswara July 30, 2020

July 30, 2020

On behalf of the Python Packaging Authority, I am pleased to announce the release of pip 20.2. Please upgrade for speed improvements, bug fixes, and better logging. You can install it by running python -m pip install --upgrade pip. We make major releases each quarter, so this is the first new release since 20.1 in April. NOTICE: This release includes the beta of the next-generation dependency resolver. It is significantly stricter and more consistent when it receives incompatible instructions, and reduces support for certain kinds of constraints files, so some workarounds and workflows may break. Please test it with the `--use-feature=2020-resolver` flag. Please see our guide on how to test and migrate, and how to report issues <https://pip.pypa.io/en/latest/user_guide/#changes-to-the-pip-dependency-res…>. The new dependency resolver is *off by default* because it is *not yet ready for everyday use*. For release highlights and thank-yous, please see <https://blog.python.org/2020/07/upgrade-pip-20-2-changes-20-3.html> . The full changelog is at <https://pip.pypa.io/en/stable/news/>. Future: We plan to make pip's next quarterly release, 20.3, in October 2020. We are preparing to change the default dependency resolution behavior and make the new resolver the default in pip 20.3. -- Sumana Harihareswara project manager for pip, on contract with Python Software Foundation Changeset Consulting, https://changeset.nyc

1 0

Upgrade to pip 20.1
by Sumana Harihareswara May 1, 2020

May 1, 2020

On behalf of the Python Packaging Authority, I am pleased to announce that we have released a new version of pip, pip 20.1. Please upgrade for speed improvements and bugfixes. We make major releases each quarter, and so this is the first new release since 20.0.2 in January. To install pip 20.1, you can run: python -m pip install --upgrade pip For release highlights and thank-yous, please see https://blog.python.org/2020/04/pip-20-1-released.html . Future: In May, we aim to release a version of pip that includes a testable beta of the new dependency resolver: https://pyfound.blogspot.com/2020/03/new-pip-resolver-to-roll-out-this-year… . And we plan to make pip's next quarterly release in July 2020. best, Sumana Harihareswara project manager for pip, on contract with Python Software Foundation Changeset Consulting, https://changeset.nyc

1 0

Preview: Upcoming changes to PyPI BigQuery public dataset
by Ernest W. Durbin III March 30, 2020

March 30, 2020

Hello! I’m looking for anyone how has built something interesting using the PyPI Big Query public dataset that’s documented at https://packaging.python.org/guides/analyzing-pypi-package-downloads/. There are some changes that are coming up that we’d like to preview for users that are actively using the dataset. If that’s you, send a note to bigquery-feedback(a)pypi.org with how you’ve been using the dataset. I’ll get back to you with information on the upcoming changes and will select a few projects to feature in the announcement of the new changes. -Ernest W. Durbin III Director of Infrastructure Python Software Foundation

1 0

Start using 2FA and API tokens on PyPI
by Sumana Harihareswara Jan. 17, 2020

Jan. 17, 2020

Dear PyPI users: To increase the security of PyPI downloads, we have added two-factor authentication (2FA) as a login security option, and API tokens for uploading packages. If you maintain or own a project on the Python Package Index [pypi.org], you should start using these features. Click "help" on PyPI for instructions. See details, explanations, and screenshots in our blog post today: https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi… A condensed explanation follows. 2FA: Two-factor authentication makes your account more secure by requiring two things in order to log in: something you know and something you own. In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key). PyPI's implementation of the WebAuthn standard means you can use any 2FA device that meets the FIDO standard. 2FA only affects logging in via a web browser, and not (yet) package uploads. API tokens: API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. That way, if a token is compromised, you can just revoke and recreate that token, instead of having to change your password in lots of automated processes. For more details and instructions, click "help" on PyPI, or go to: https://pypi.org/help/ These features are also available on Test PyPI. Future: In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change; when we decide on a timeline, we will announce the change on this list. Thanks to the Open Technology Fund for funding this work. More work is in progress on pip and PyPI -- see https://wiki.python.org/psf/PackagingWG . Please forward to other PyPI users, especially package maintainers. -Sumana Harihareswara on behalf of the PyPI team

1 0

PyPI two-factor auth (2FA) trial May 3-20
by Sumana Harihareswara May 2, 2019

May 2, 2019

Dear PyPI users: To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option, and want project maintainers and owners to start testing it. Starting this Friday, May 3rd, you'll be able to use 2FA on Test PyPI http://test.pypi.org/ . And if you'd like to try 2FA on official PyPI https://pypi.org , please fill out this Google form https://docs.google.com/forms/d/e/1FAIpQLSfRmXhkfAL-LgLfcMdzTG7iIaSwPo-pyzk… so we can invite you to the private beta, which we plan to hold 3-20 May. More details at https://wiki.python.org/psf/WarehousePackageMaintainerTesting . We expect to end this testing period on May 20th, then enable the optional 2FA feature for all PyPI users, and move on to working on WebAuthn support. Thanks to the Open Technology Fund for funding this work. More progress reports at https://wiki.python.org/psf/PackagingWG . -Sumana Harihareswara on behalf of the PyPI team

1 0