What problem does it solve?
Supply-chain poisoning has always been a persistent security problem. Existing solutions include mature but expensive-to-run tools like GuardDog, and lightweight tools like sfw that rely entirely on a paid Socket API. GuardDog is too heavy for everyday CI usage and is better suited to static analysis by security researchers. Running GuardDog against every artifact downloaded by pip install, including all dependencies, would slow installs down. sfw is lighter, but its dependence on a paid API creates another cost for everyday developers.
secpipw solves this by hooking into pip's installer and merging security checks directly into the pip install download and installation flow. The latest GitHub Actions benchmark compares the full download and install flow for default spip install against pip install across multiple target packages. The primary median is x-- of pip time. secpipw is completely free for everyone.
Today, many independent developers have suffered CI server compromises that leak secret keys and cause serious damage. With secpipw installed, that risk is greatly reduced, while requiring no payment, no extra performance budget, and no learning or configuration. Install it once with pip install secpipw, set an alias once, and keep using pip while gaining an important protection layer in the background.