New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket

Security News

PyPI’s New Archival Feature Closes a Major Security Gap

PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.

PyPI’s New Archival Feature Closes a Major Security Gap

Sarah Gooding

January 30, 2025


A major security improvement has landed on PyPI: maintainers can now archive projects, making it clear when a package is no longer actively maintained. This long-awaited feature, developed by Trail of Bits and funded by Alpha-Omega, helps developers make informed decisions about dependencies while protecting the Python ecosystem from risks associated with outdated or abandoned packages.

PyPI’s announcement says archived projects are those where the project owner has designated that it will no longer be updated, but the registry still allows for installing it:

Project archival is not deletion: archiving a project does not remove it from the index, and does not prevent users from installing it. Archival is purely a user-controlled marker that gives project owners the ability to signal a project’s status; PyPI has no plans to delete or prune archived distributions.

The archived designation is also distinct from yanking, where yanked releases are ignored by installers, unless it is the only release that matches a version specifier. The new archival status enables maintainers to archive their projects and un-archive (restore to an active state) at will.

Bringing Greater Visibility to Package Maintenance Status#

For years, PyPI lacked a structured way for maintainers to indicate a project’s lifecycle status. Users often had to infer whether a project was still maintained based on release dates or unstructured notes in project descriptions. This lack of clarity made it difficult for developers to make informed decisions about their dependencies, especially in terms of security and long-term maintainability.

“Thanks to this signal, downstream consumers can make better-informed decisions about whether to limit or migrate away from their use of a particular package without having to resort to heuristics around project activity or maintenance status,” Trail of Bits engineer Facundo Tuesca said in a post on the company’s blog.

“This results in a virtuous double-effect: downstreams are better informed about the status of their supply chain, and upstreams should receive fewer distracting, superfluous requests for maintenance information from upstreams.”

“With the new archival feature, project owners can explicitly mark a project as archived. This provides a clear signal to the community that no further updates, including security patches, should be expected."

A Step Toward Better Project Lifecycle Management#

Project archival is the first of several planned improvements aimed at enhancing project lifecycle visibility on PyPI. Future plans include introducing additional statuses such as "deprecated" and "unmaintained" and expanding PyPI’s APIs to allow clients to retrieve and act on project status information programmatically.

“The ‘archived’ state is also not the end-all, be-all of packaging statuses: as mentioned above, there are numerous other states (‘deprecated,’ ‘feature-complete,’ etc.) that project maintainers want to express in a consistent fashion,” Facundo Tuesca said. “Now that we have a blueprint for doing that with the 'archived' state, we’ll be looking into those as well.”

While project archivals are currently recorded and presented on PyPI’s web interface, this feature primarily benefits human users making decisions about whether to continue using a package. However, it does not yet help tools like pip and uv automatically alert developers when an archived dependency is still in use. As noted by Tuesca: “This feature will help users but it doesn’t yet help the machine-readable case. That’s something we’re working on!” Future improvements will aim to enhance automation around dependency management and security notifications.

This feature builds on PyPI’s earlier work on project quarantine, which introduced the ability to flag and isolate potentially harmful packages. While quarantine was designed for security threats, archival is focused on maintainers' ability to manage project visibility and communicate status changes transparently.

One recent threat PyPI has faced is revival hijacking—where attackers take over package names that were previously deleted and reintroduce malicious versions of once-trusted software. Because PyPI previously had no formal mechanism for marking projects as inactive or deprecated, some maintainers resorted to deleting their projects, unknowingly creating an opening for attackers.

Archival addresses this risk by ensuring that projects can be marked as inactive without relinquishing their names. This means attackers can no longer easily republish a deleted package under the same name, significantly mitigating the risk of supply chain attacks stemming from name re-registration.

Follow PyPI’s Future Lifecycle Management Features on GitHub#

With archiving capabilities now live, maintainers have a powerful new tool to help keep the Python ecosystem informed and secure. If you maintain a package on PyPI, consider reviewing its status and archiving projects that are no longer active!

For those interested in tracking progress on future lifecycle management features, follow along on PyPI’s warehouse repo on GitHub with warehouse#16844.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc