Skip to content

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 12, 2025
Merged

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

merged 6 commits into from
Oct 12, 2025
+5 −6

Conversation

isaacaman
Copy link
Contributor

This small docs change makes it explicit that the dependency-confusion warning applies to the --extra-index-url option. The previous wording ("Using this option...") can be ambiguous in the surrounding examples.
No code changes — docs-only fix. Closes #13609.

@isaacaman
docs: clarify dependency-confusion warning refers to --extra-index-url
c869ea5 
Make the warning in the pip install docs explicitly name --extra-index-url
so readers cannot misinterpret which option the warning refers to.
@sepehr-rs
Copy link
Collaborator

Hi @isaacaman, thanks a lot for your contribution to pip!
I'm not part of the triage team yet, so you'll need to wait for an official answer from them.
In the meantime, I noticed that your PR is missing a news file. You can find more details about it here.
If anything about the process is unclear, please feel free to ask.

@isaacaman
Copy link
Contributor Author

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

@sepehr-rs
Copy link
Collaborator

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you!
I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here.
Please let me know if you need any assistance fixing the pre-commit errors.

@isaacaman
Copy link
Contributor Author

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

@sepehr-rs
Copy link
Collaborator

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

Great! Now it should be just a matter of waiting for a maintainer to review and give the final approval.

sepehr-rs
sepehr-rs reviewed Oct 3, 2025
View reviewed changes
docs/html/cli/pip_install.rst Outdated
will ensure it gets chosen over the private package.
Using the ``--extra-index-url`` option to search for packages which are
not in the main repository (for example, private packages) is unsafe.
This is a class of security issue known as dependency confusion — an
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick question, is there a reason you chose to remove the https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/ link here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it accidentally, I'll add it right now.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

pfmoore
pfmoore reviewed Oct 3, 2025
View reviewed changes
@notatallshaw notatallshaw added this to the 25.3 milestone Oct 5, 2025
@ichard26 ichard26 added the skip news Does not need a NEWS file entry (eg: trivial changes) label Oct 12, 2025
ichard26
ichard26 approved these changes Oct 12, 2025
View reviewed changes
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I apologise for taking so long to get this in.

@ichard26 ichard26 merged commit e1c021d into pypa:main Oct 12, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pfmoore pfmoore pfmoore left review comments

@ichard26 ichard26 ichard26 approved these changes

+1 more reviewer

@sepehr-rs sepehr-rs sepehr-rs left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bot:chronographer:provided skip news Does not need a NEWS file entry (eg: trivial changes)

Projects

None yet

Milestone

25.3

Development

Successfully merging this pull request may close these issues.

Improve warning in pip install documentation

5 participants

@isaacaman @sepehr-rs @pfmoore @ichard26 @notatallshaw