Checks

Detects packages whose names look like fake typos of popular packages after pip has resolved the install plan. Non-popular resolved package names are compared with the local hot-package list.

Examples include requsets versus requests, panda versus pandas, and sixth versus six.

Warns when the install target or a resolved dependency uses a direct URL, VCS URL, or PEP 508 direct reference instead of a normal registry package reference.

Warns when the selected PyPI release is very fresh. Releases published less than 8 hours ago are MEDIUM; releases published less than 48 hours ago are LOW.

Warns when the selected PyPI release metadata has neither a summary nor a long description.

Warns when pip resolves a release that is marked as yanked. This uses pip's resolved install report and does not add an extra registry metadata request.

Compares the resolved wheel or sdist hash with PyPI release metadata when that metadata is already available. A mismatch raises a HIGH warning.

Warns when PyPI metadata links to a shortener, raw IP address, embedded credentials, or a similar suspicious URL pattern.

Warns when PyPI metadata points to a GitHub or GitLab repository whose repository name appears unrelated to the package name.

Warns when a package maintainer email domain changes compared with the local secpipw history cache.

Warns when the selected package version is 0.0 or 0.0.0.

Detects newly installed or changed .pth files that start executable lines with import. The warning asks whether the suspicious installed .pth file should be deleted.

Records a local baseline of installed package artifacts after a successful spip install. A later install of the same package warns when installed .pth files are added, removed, or changed.

Changes to .pth files are MEDIUM. Added or removed entry-point metadata and generated script file names are LOW. Script file contents are not compared because generated wrappers can vary across environments.