confusion-test 666.0.0

Test package for dependency confusion vulnerability

---

confusion-test - Test Package for Dependency Confusion Vulnerability

Background

Since you found this package, you might have already read about the so-called dependency confusion vulnerability. If you have no idea what I am talking about, first read this.

The pip team is still discussing if this could and/or should be fixed within pip itself or whether this is somebody else's problem.

Whatever the outcome of this discussion might be, you might want to mitigate this vulnerability now. Two tools (basically proxies which filter/route requests to repositories) have been proposed:

• devpi
• simpleindex

What's the use of confusion-test?

Whatever you use as a mitigation, you might wonder if it actually works, i.e., if you have package A in you private repository and someone else uploads package A to PyPI using a higher version number, will you actually not install the package from PyPI.

You can use confusion-test for testing your mitigation. It is tiny and does not have any dependencies (as version 1.x) or functionality.

How to use it

1. Manually download the latest 1.x version of confusion-test from PyPI. Do not download a 666.x version!

2. Upload this file to your private repository. Here is how you would do it with twine:

   twine upload -r YOUR_PRIVATE_REPO confusion-test-1.*.tar.gz
   

3. Include confusion-test in your dependencies without a version.

When you now install your dependencies, pip will try to install confusion-test with the highest version it can find:

• If pip installs version 1.x from you local repository, all is fine.

• If pip installs version 666.x from PyPI, the parent process (most likely pip) is being killed which should bring the installation process and your build pipeline to a grinding halt.