PyPI adds project archiving system to stop malicious updates

The Python Package Index (PyPI) has announced the introduction of ‘Project Archival,’ a new system that allows publishers to archive their projects, indicating to the users that no updates are to be expected.

The projects will still be hosted on PyPI, and users will still be able to download them but they will see a warning about the maintenance status, to help them make informed decisions about their dependencies.

The new feature seeks to improve the security of the supply-chain, as hijacking developer accounts and pushing malicious updates to widely used but abandoned projects is a common scenario in the open-source space.

Apart from lowering the risk for users, it also reduces support requests from users by ensuring clear communication of the project’s lifecycle status.

How project archiving works

According to a more detailed blog from TrailofBits, the developer of PyPI’s new project archival system, the feature provides a maintainer-controlled status that allows project owners to mark their projects as archived, to signal users that there will not be further updates, fixes, or maintenance.

PyPI recommends that maintainers release a final version before archiving a project to include details and explanations about the reason behind archiving a project, although this isn’t mandatory.

The maintainers can unarchive their project at any time in the future if they choose to resume work on it.

Under the hood, the new system uses a LifecycleStatus model, originally developed for project quarantine, which includes a state machine that enables transitions between different statuses.

Once the project owner clicks on the ‘Archive Project’ option on the PyPI settings page, the platform updates its metadata automatically to reflect the new status.

TrailofBits says that there are plans to add more project statuses like ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained,’ giving users a more clear idea about the project’s condition.

The warning banner is meant to inform developers that they need to look for actively maintained alternative dependencies instead of continuing to rely on outdated and potentially insecure projects.

Apart from that, it is often the case that attackers target abandoned packages, taking over unmaintained projects and injecting malicious code via an update that may come several years after the last one.

In other cases, maintainers choose to delete their projects when planning to stop development, which leads to scenarios like the ‘Revival Hijack’ attacks. Giving those maintainers an archiving option is much better from a security perspective.

Ultimately, due to the nature of open-source, many projects are abandoned without notice, leaving users guessing whether they’re still maintained.

The new system should improve transparency in open-source project maintenance, removing the guesswork and providing an explicit signal about a project’s status.