Package managers
Package Managers
secpipw can guard direct pip installs and selected package-add flows from pipx, poetry, and uv. It derives a pip install plan first, runs the same supply-chain checks, then lets the original manager perform the real environment update.
Supported managers
| Manager | Guarded entry point | Guarded commands |
|---|---|---|
pip |
spip install requests |
install |
pipx |
spipx install black |
install, inject, run |
poetry |
spoetry add requests |
add, self add |
uv |
suv pip install requests |
pip install, add, tool install, tool run |
How to start
spip install requests
spipx install black
spoetry add requests
suv pip install requests
External managers use dedicated guarded entry points instead of spip pipx,
spip poetry, or spip uv subcommands.
secpipw options
For external managers, secpipw options must come before the manager command. After the first non-secpipw argument, the rest of the command belongs to the original manager.
spipx --spip-ignore-warning install black
suv --spip-ignore medium pip install requests
suv --sensitivity high tool install ruff
For example, suv pip install requests --spip-ignore medium sends
--spip-ignore to uv, not secpipw. See the
parameter reference
for every secpipw option.
Refusal behavior
Non-install commands are passed through to the original manager. Install-affecting commands that secpipw cannot translate into a pip install plan are refused instead of running unchecked.
| Manager | Currently refused install-affecting commands |
|---|---|
pipx |
upgrade, upgrade-all, reinstall, reinstall-all |
poetry |
add --source ... when the custom source cannot be translated to a pip index |
uv |
run, sync, pip sync, tool upgrade, tool upgrade-all |
Next
Continue with the parameter reference for the full secpipw option list.