Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

HTML

Ruby

Shell

Elixir

C++

Haskell

R

Solidity

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Go

PHP

Zig

F#

PowerShell

Elixir

R

MATLAB

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇸🇲 San Marino

🇨🇱 Chile

🇯🇴 Jordan

🇬🇷 Greece

🇵🇲 Saint Pierre and Miquelon

🇲🇪 Montenegro

🇲🇬 Madagascar

🇨🇳 China

All Countries Compare Countries

pypa/advisory-database

Stars
250
Rank 162,397 (Top 4 %)
Language
License
Creative Commons ...
Created over 3 years ago
Updated 3 months ago

pypa/advisory-database

pypa

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Advisory database for Python packages published on pypi.org

Python Packaging Advisory Database

This is community owned repository of advisories for packages published on https://pypi.org.

Advisories live in the vulns directory and use a YAML encoding of a simple format.

Contributing advisories

Making a pull request

Existing entries can be edited by simply creating a pull request.

To introduce a new entry, create a pull request with a new file that has a name matching PYSEC-0000-<anything>.yaml. This will be later picked up by automation to allocate a proper ID once merged.

Triage process

Much of the existing set of vulnerabilities are collected from the NVD CVE feed.

We use this tool, which performs a lot of heuristics to match CVEs with exact Python packages and versions (which is a difficult problem!) and a small amount of human triage to generate the .yaml entries here.

Using this data

Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:

$ curl -X POST -d \
          '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
          "https://api.osv.dev/v1/query"

Longer term, we are working with the PyPI team to build a pipeline to automatically get these vulnerabilities into PyPI. The goal is to have the pip install (and an additional pip audit) command automatically report vulnerabilities out of the box.

Code of Conduct

Everyone interacting with this project is expected to follow the PSF Code of Conduct.

pipenv

Python Development Workflow for Humans.

pipx

Install and Run Python Applications in Isolated Environments

pip

The Python package installer

hatch

Modern, extensible Python project management

sampleproject

A sample project that exists for PyPUG's "Tutorial on Packaging and Distributing Projects"

virtualenv

Virtual Python Environment builder

pipfile

setuptools

Official project repository for the Setuptools build system

flit

Simplified packaging of Python modules

cibuildwheel

🎡 Build Python wheels for all the platforms with minimal configuration.

twine

Utilities for interacting with PyPI

manylinux

Python wheels that work on any linux (almost)

packaging.python.org

Python Packaging User Guide

pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

gh-action-pypi-publish

The blessed :octocat: GitHub Action, for publishing your 📦 distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish

setuptools_scm

the blessed package to manage your versions by scm tags

get-pip

Helper scripts to install pip, in a Python installation that doesn't have it.

build

A simple, correct Python build frontend

packaging

Core utilities for Python packages

wheel

The official binary distribution format for Python

bandersnatch

A PyPI mirror client according to PEP 381 http://www.python.org/dev/peps/pep-0381/

auditwheel

Auditing and relabeling cross-distribution Linux wheels.

python-manylinux-demo

Demo project for building Python wheels for Linux with Travis-CI

sample-namespace-packages

Tests against namespace packages

readme_renderer

Safely render long_description/README files in Warehouse

packaging-problems

An issue tracker for the problems in packaging

trove-classifiers

Canonical source for classifiers on PyPI.

pyproject-hooks

A low-level library for calling build-backends in `pyproject.toml`-based project

installer

A low-level library for installing from a Python wheel distribution.

gh-action-pip-audit

A GitHub Action for pip-audit

scripttest

Utilities to help with testing command line scripts

distlib

A low-level library which implements some Python packaging standards (PEPs) and which could be used by third-party packaging tools to achieve interoperability.

distutils

distutils as found in cpython

.github

Community health files for the Python Packaging Authority

pyproject-metadata

PEP 621 metadata parsing

pypa.io

Source code for the pypa.io website

interoperability-peps

Development repo for evolution of PyPA interoperability standards (released versions are published as PEPs on python.org)

integration-test

ensure core packaging tools work well with each other

pkg_resources

Abandoned extraction of pkg_resources. Official version found at /pypa/setuptools.

get-virtualenv

history

history generates history/changelog files for a project

easy_install

wheel-builders

Companion repo for the [email protected] mailing list

browntruck

pypa-docs-theme

Common base Sphinx theme for PyPA projects

docker-python

copr

Package files for building PyPA packages in copr

pypa-bot

Source code behind @pypa-bot (eventually)

pep470

pip-test-package

Used in pip's test suite

bootstrap

Assets for bootstrap.pypa.io

pypi-camo

bot-test

rootbeer

Bootstrapping Python build backends for source-only environments.