From c869ea5a802d4966f2ea4c699d6066bc5a21127f Mon Sep 17 00:00:00 2001 From: isaacaman Date: Fri, 3 Oct 2025 08:59:54 +0530 Subject: [PATCH 1/5] docs: clarify dependency-confusion warning refers to --extra-index-url Make the warning in the pip install docs explicitly name --extra-index-url so readers cannot misinterpret which option the warning refers to. --- docs/html/cli/pip_install.rst | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst index 00d7f7d23b1..056a2ac04d6 100644 --- a/docs/html/cli/pip_install.rst +++ b/docs/html/cli/pip_install.rst @@ -479,12 +479,11 @@ Examples .. warning:: - Using this option to search for packages which are not in the main - repository (such as private packages) is unsafe, per a security - vulnerability called - `dependency confusion `_: - an attacker can claim the package on the public repository in a way that - will ensure it gets chosen over the private package. + Using the ``--extra-index-url`` option to search for packages which are + not in the main repository (for example, private packages) is unsafe. + This is a class of security issue known as dependency confusion — an + attacker can publish a package with the same name to a public index, + which may then be chosen instead of your private package. .. tab:: Unix/macOS From f757681fc194b3a777c025757bbe3c2aa6bf90f1 Mon Sep 17 00:00:00 2001 From: isaacaman Date: Fri, 3 Oct 2025 10:30:50 +0530 Subject: [PATCH 2/5] news: add doc entry for --extra-index-url docs clarification (#13609) --- news/13609.doc.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 news/13609.doc.rst diff --git a/news/13609.doc.rst b/news/13609.doc.rst new file mode 100644 index 00000000000..3d2ace48af2 --- /dev/null +++ b/news/13609.doc.rst @@ -0,0 +1 @@ +Clarify dependency-confusion warning applies to --extra-index-url \ No newline at end of file From dee2250610efb34c32db06ca117fb498e48487fc Mon Sep 17 00:00:00 2001 From: isaacaman Date: Fri, 3 Oct 2025 12:32:22 +0530 Subject: [PATCH 3/5] fix: add newline in news --- news/13609.doc.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/13609.doc.rst b/news/13609.doc.rst index 3d2ace48af2..f922130294a 100644 --- a/news/13609.doc.rst +++ b/news/13609.doc.rst @@ -1 +1 @@ -Clarify dependency-confusion warning applies to --extra-index-url \ No newline at end of file +Clarify dependency-confusion warning applies to --extra-index-url From 525e387306ffaf8584cc5cafd2e65454027e2193 Mon Sep 17 00:00:00 2001 From: Aman Date: Fri, 3 Oct 2025 13:49:19 +0530 Subject: [PATCH 4/5] docs: restore Azure mitigation link --- docs/html/cli/pip_install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst index 056a2ac04d6..2d2afc4f4fd 100644 --- a/docs/html/cli/pip_install.rst +++ b/docs/html/cli/pip_install.rst @@ -481,7 +481,7 @@ Examples Using the ``--extra-index-url`` option to search for packages which are not in the main repository (for example, private packages) is unsafe. - This is a class of security issue known as dependency confusion — an + This is a class of security issue known as `dependency confusion `_ — an attacker can publish a package with the same name to a public index, which may then be chosen instead of your private package. From 4b52e80cf2e69a06af1aec016d467f05a238b525 Mon Sep 17 00:00:00 2001 From: Aman Date: Fri, 3 Oct 2025 14:17:02 +0530 Subject: [PATCH 5/5] Update docs/html/cli/pip_install.rst Co-authored-by: Paul Moore --- docs/html/cli/pip_install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst index 2d2afc4f4fd..1e0decafddc 100644 --- a/docs/html/cli/pip_install.rst +++ b/docs/html/cli/pip_install.rst @@ -481,7 +481,7 @@ Examples Using the ``--extra-index-url`` option to search for packages which are not in the main repository (for example, private packages) is unsafe. - This is a class of security issue known as `dependency confusion `_ — an + This is a class of security issue known as `dependency confusion `_: an attacker can publish a package with the same name to a public index, which may then be chosen instead of your private package.