PyPI Anomalous Dependency

A malicious dependency often shows certain patterns that could be used to heuristically warn of potential misbehaviour.

Project metadata, like lack of license, email, author, no project homepage, or no project repository, could raise suspicions on the intentions of the package.

When some of these hints are found for a new package in the dependencies graph for your project, this could raise suspicions demanding a careful review of the target package.

A package without a homepage and with not enough metadata giving information about the author of the package may suggest that the package cannot be trusted without further analysis.

Put packages reported by this rule in 'quarantine', and proceed to review them:

If you consider that the package is not malicious, you may then 'mute' the misconfiguration so this rule will not report for the package in following analyses.