The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security.
“Maintainers can now archive a project to let users know that the project is not expected to receive any more updates,” Facundo Tuesca, senior engineer at Trail of Bits, said.
In doing so, the idea is to clearly signal to developers that the Python libraries are no longer being actively maintained and that no future security fixes or product updates should be expected.
That said, projects labeled as archived will continue to remain available on PyPI and users can continue to install it without any issues.
In a separate blog post detailing the feature, Tuesca said the maintainers are considering additional maintainer-controlled statuses to better communicate a project’s status to downstream consumers.
PyPI also recommends that package developers release a final version prior to archival by updating the project description to warn users and to include alternatives as replacement.
The development comes shortly after PyPI rolled out the ability to quarantine projects, allowing administrators to mark a project as potentially suspicious and prevent it from being installed by other users to prevent further harm.
In November 2024, PyPI administrators quarantined the Python library aiocpa after a new update was found to include malicious code designed to exfiltrate private keys via Telegram.
Since August of last year, approximately 140 projects have been quarantined and subsequently removed from the registry barring one.
“Having this intermediary stage enables PyPI Admins to create more safety for end users, protecting end users quicker by PyPI Admins removing a suspicious package from being installed, while allowing further investigation,” PyPI Admin Mike Fiedler said.
“Since project removal from PyPI is a destructive action, creating a quarantine state allows for restoring a project if deemed a false positive report without destroying any of the project’s history or metadata.”
