Package Management Security

Index of All Documentation » Wing Pro Reference Manual » Package Manager »

When you install Python packages from Wing, or with any other package manager, you are downloading and installing software that (like all downloads) could potentially contain malware. It is very important to verify that you are not misspelling a package name, and that you are installing packages only from reputable sources.

Although the Python Package Index (which is used by pip, Poetry, and pipenv) is monitored, "typo-squatting" style malware attacks are sometimes detected, and it is quite possible that malware might exist in other legitimate packages. This might occur as a result of direct action of the package author, or in some cases could occur through incorporation of "upstream" code or dependencies that are not properly scrutinized by the package maintainer.

Other supported methods for creating Python environments, including Docker, Anaconda environments, Vagrant, and LXC/LXD, all use their own package repositories that may be subject to similar attacks.

As noted in Wing's End User License Agreement, it is your responsibility to assess the risks of package management and to inspect any packages you install using Wing or any other package manager. These packages do not come from Wingware, we have no control over their content, and we are not liable for any malware you may introduce by using our package manager integration.