Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue, according to an analysis by researchers at the University of Turku in Finland.
Over 749,000 security issues were found in 197,000 open source packages examined with static analysis, which could taint the software that use them, the researchers say. They describe their work in "A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI.
Despite the inherent limitations of static analysis, the researchers still found at least one security issue in about 46% of the packages in the repository, or an average of 3.8 issues per package. Of the identified issues, 442,373 of low severity were found in 64.2 percent of packages, while 227,426 of moderate severity, or an average of 1.2 per package, were found. And 11% of the flagged PyPI packages have 80,065 high severity issues, or an average of 0.4 per package.
In June, PyPI was purged of half a dozen typosquatting packages that contained cryptomining malware, and a month before that the repository was flooded with spam packages.
View Full Article