PyPI Confusing Names

confusing_names_pip

Severity

high

Family

Confusing Names

Description

Confusing Names in PyPI occurs when the name in the setup.py file is not between the exposed packages via the packages property.

Security

If the name is different a developer could add a dependency with one of the package’s exposed name and if the dependency exists in PyPI repository, it could contain malicious code.

Examples

setup.py

setup (
    name='my-private-package',
    ...
    packages=['utilities'],
    ...
)

Mitigation / Fix

If you create a package to use it in other projects, the name should be the principal exposed package name to avoid confusing in the developers that will use this package.