Skip to content

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ichard26 merged 6 commits into from
Oct 12, 2025
Merged

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

ichard26 merged 6 commits into from
Oct 12, 2025

Conversation

@kagiyanagi
Copy link
Contributor

@kagiyanagi kagiyanagi commented Oct 3, 2025

This small docs change makes it explicit that the dependency-confusion warning applies to the --extra-index-url option. The previous wording ("Using this option...") can be ambiguous in the surrounding examples.
No code changes — docs-only fix. Closes #13609.

@kagiyanagi
docs: clarify dependency-confusion warning refers to --extra-index-url
c869ea5 
Make the warning in the pip install docs explicitly name --extra-index-url
so readers cannot misinterpret which option the warning refers to.
@sepehr-rs
Copy link
Member

sepehr-rs commented Oct 3, 2025

Hi @isaacaman, thanks a lot for your contribution to pip!
I'm not part of the triage team yet, so you'll need to wait for an official answer from them.
In the meantime, I noticed that your PR is missing a news file. You can find more details about it here.
If anything about the process is unclear, please feel free to ask.

@kagiyanagi
Copy link
Contributor Author

kagiyanagi commented Oct 3, 2025

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

@sepehr-rs
Copy link
Member

sepehr-rs commented Oct 3, 2025

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you!
I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here.
Please let me know if you need any assistance fixing the pre-commit errors.

@kagiyanagi
Copy link
Contributor Author

kagiyanagi commented Oct 3, 2025

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

@sepehr-rs
Copy link
Member

sepehr-rs commented Oct 3, 2025

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

Great! Now it should be just a matter of waiting for a maintainer to review and give the final approval.

sepehr-rs
sepehr-rs reviewed Oct 3, 2025
View reviewed changes
docs/html/cli/pip_install.rst Outdated
will ensure it gets chosen over the private package.
Using the ``--extra-index-url`` option to search for packages which are
not in the main repository (for example, private packages) is unsafe.
This is a class of security issue known as dependency confusion — an
Copy link
Member

@sepehr-rs sepehr-rs Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick question, is there a reason you chose to remove the https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/ link here?

Copy link
Contributor Author

@kagiyanagi kagiyanagi Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it accidentally, I'll add it right now.

Copy link
Member

@sepehr-rs sepehr-rs Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

pfmoore
pfmoore reviewed Oct 3, 2025
View reviewed changes
@notatallshaw notatallshaw added this to the 25.3 milestone Oct 5, 2025
@ichard26 ichard26 added the skip news Does not need a NEWS file entry (eg: trivial changes) label Oct 12, 2025
ichard26
ichard26 approved these changes Oct 12, 2025
View reviewed changes
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I apologise for taking so long to get this in.

@ichard26 ichard26 merged commit e1c021d into pypa:main Oct 12, 2025
12 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pfmoore pfmoore pfmoore left review comments

@ichard26 ichard26 ichard26 approved these changes

+1 more reviewer

@sepehr-rs sepehr-rs sepehr-rs left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bot:chronographer:provided skip news Does not need a NEWS file entry (eg: trivial changes)

Projects

None yet

Milestone

25.3

Development

Successfully merging this pull request may close these issues.

Improve warning in pip install documentation

5 participants

@kagiyanagi @sepehr-rs @pfmoore @ichard26 @notatallshaw