Auditing my local Python packages
The author documents a process for auditing all locally installed Python packages by reviewing their source code, dependencies, and metadata to identify security risks and maintenance issues.
Background
- **Alex Chan** is a UK-based software engineer who writes about Python, programming tools, and personal infrastructure on their blog.
- "pip" is Python's standard package manager; "pip list" shows all installed third-party packages (libraries) on a machine.
- Python packaging relies on a central repository called **PyPI** (Python Package Index, aka "the Cheese Shop"). Anyone can upload a package, and packages can have dependencies on other packages, creating a dependency tree.
- A "supply-chain attack" occurs when a malicious actor publishes a fake or compromised package to PyPI (typosquatting a popular name, or hijacking an abandoned but widely used package) so that anyone who runs `pip install` pulls in malware.
- The post's author runs an audit — checking every package they have installed manually — because your risk grows with each dependency you don't actually need or know about.