requests-async being replaced/cloned/squatted on PyPI? #3709
Unanswered
LourensVeen
asked this question in
General
Replies: 1 comment
-
The requests-async package is long since archived, and probably ought to just be deleted at this point. It looks to me like I must have been cleaning out old PyPI packages and someone's taken that name on with a new project. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I needed to write a Python script to do a bit of stresstesting on a web service that I'm working on. This is not my usual bailiwick at all, but I remembered that Python had a
requestslibrary for doing HTTP, and I figured I'd want asyncio to speed things up, so I searched the web for "requests async" and found requests-async on PyPI. Looked good, and my script is almost working.However, while debugging an SSL error, I tried looking up the source code for requests-async, and found this repo, which contained code that didn't seem to match what I had in my virtualenv. It's archived, and clearly dead, but it also has a ton of stars and was (is?) clearly widely used. And it suggests running
pip install requests-async, so apparently it used to be on PyPI.I then discovered that the source code link on PyPI has a URL that does not exist, but that some of the older versions pointed to this GitHub repo, and that seems to contain the code I ended up installing with
pip install requests-async.So now I'm wondering if the developers of the original
requests-asyncknow about this?There must be old code that still uses
requests-async, and possibly new code too, and so my first thought was that this was an attempt at a supply chain attack. I didn't find any obviously nefarious code in the library itself (that's no guarantee, I didn't spell it out line-by-line), but it does have some tests that access weird URLs apparently to test against. Then again, it appears that AI was used in making it, so who knows what it hallucinated, and the author seems to be Chinese and may not speak English, so things could have been lost in translation too.At any rate, you may want to consider pinging PyPI and seeing what they think?
@lovelydinosaur
Beta Was this translation helpful? Give feedback.
All reactions