Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

weird "Yandex Dependency Confusion" plugins #11391

Closed
soxofaan opened this issue Sep 5, 2023 · 5 comments · Fixed by #11397
Closed

weird "Yandex Dependency Confusion" plugins #11391

soxofaan opened this issue Sep 5, 2023 · 5 comments · Fixed by #11397

Comments

@soxofaan
Copy link
Contributor

soxofaan commented Sep 5, 2023

https://github.com/pytest-dev/pytest/blob/9c8937b4800c72bb511a45f4548f0c58823ec30b/doc/en/reference/plugin_list.rst lists a couple of plugins with the same description:

   :pypi:`pytest-check-requirements`                A package to prevent Dependency Confusion attacks against Yandex.                                                                                                                                         Feb 10, 2023    N/A                    N/A
   :pypi:`pytest-diffeo`                            A package to prevent Dependency Confusion attacks against Yandex.                                                                                                                                         Feb 10, 2023    N/A                    N/A
   :pypi:`pytest-factor`                            A package to prevent Dependency Confusion attacks against Yandex.                                                                                                                                         Feb 10, 2023    N/A                    N/A
   :pypi:`pytest-star-track-issue`                  A package to prevent Dependency Confusion attacks against Yandex.                                                                                                                                         Feb 10, 2023    N/A                    N/A
   :pypi:`pytest-xskynet`                           A package to prevent Dependency Confusion attacks against Yandex.                                                                                                                                         Feb 10, 2023    N/A                    N/A

each of these links to these strange, minimal pypi listings with

This is a security placeholder package. If you want to claim this name for legitimate purposes, please contact us at ...

Are these legitimate plugins that should be listed in the pytest docs?
@RonnyPfannschmidt
Copy link
Member

at first glance they aren't, lets use the descriptions for a filter

@The-Compiler
Copy link
Member

IMHO we should not go down the rabbit hole to curate the list. It's just that: An autogenerated list of pytest plugins. It's full of plugins which make no sense for general usage, but that's what it is. If we start excluding things, there's probably a lot more that would make sense to exclude (but where to draw the line?).

If we want a curated plugin list, that should be a different thing. IMHO, #11232 (sorting the list by popularity) is enough of a solution for this.

@nicoddemus
Copy link
Member

nicoddemus commented Sep 5, 2023
edited
Loading

I agree with @The-Compiler, we probably should focus on sorting the list by popularity/downloads, and only then if we find the need for a curated list, to manually maintain one (and a big IF at that, as I think sorting the list will already provide value enough).

@soxofaan
Copy link
Contributor Author

soxofaan commented Sep 5, 2023

If that list is not curated/reviewed, I think there should be a big fat warning on that page about that. Because it is part of the pytest docs I assumed some level of review was involved.
One has to carefully read the leading paragraph on that page to infer that there is no review involved.

@nicoddemus
Copy link
Member

@soxofaan would you like to contribute adding a warning to that page then? I guess our initial reasoning was that the paragraph plus the number of plugins would be hint enough that this was not manually maintained, but making that more explicit is certainly good.

soxofaan added a commit to soxofaan/pytest that referenced this issue Sep 6, 2023
@soxofaan
Issue pytest-dev#11391 improve plugin list disclaimer
9de30c4
soxofaan added a commit to soxofaan/pytest that referenced this issue Sep 6, 2023
@soxofaan
Issue pytest-dev#11391 improve plugin list disclaimer
8028e26
soxofaan added a commit to soxofaan/pytest that referenced this issue Sep 6, 2023
@soxofaan
Issue pytest-dev#11391 improve plugin list disclaimer
a5f2081
@soxofaan soxofaan mentioned this issue Sep 6, 2023
Merged
nicoddemus pushed a commit that referenced this issue Sep 6, 2023
@soxofaan
Improve plugin list disclaimer (#11397)
3ce63bc 
Closes #11391
jsuchenia pushed a commit to jsuchenia/adventofcode that referenced this issue Dec 2, 2023
Update dependency pytest to v7.4.2 (#32)
600981a 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [pytest](https://docs.pytest.org/en/latest/) ([source](https://github.com/pytest-dev/pytest), [changelog](https://docs.pytest.org/en/stable/changelog.html)) | patch | `==7.4.0` -> `==7.4.2` |

---

### Release Notes

<details>
<summary>pytest-dev/pytest (pytest)</summary>

### [`v7.4.2`](https://github.com/pytest-dev/pytest/releases/tag/7.4.2): pytest 7.4.2 (2023-09-07)

[Compare Source](pytest-dev/pytest@7.4.1...7.4.2)

### Bug Fixes

-   [#&#8203;11237](pytest-dev/pytest#11237): Fix doctest collection of `functools.cached_property` objects.

-   [#&#8203;11306](pytest-dev/pytest#11306): Fixed bug using `--importmode=importlib` which would cause package `__init__.py` files to be imported more than once in some cases.

-   [#&#8203;11367](pytest-dev/pytest#11367): Fixed bug where `user_properties` where not being saved in the JUnit XML file if a fixture failed during teardown.

-   [#&#8203;11394](pytest-dev/pytest#11394): Fixed crash when parsing long command line arguments that might be interpreted as files.

### Improved Documentation

-   [#&#8203;11391](pytest-dev/pytest#11391): Improved disclaimer on pytest plugin reference page to better indicate this is an automated, non-curated listing.

### [`v7.4.1`](https://github.com/pytest-dev/pytest/releases/tag/7.4.1): pytest 7.4.1 (2023-09-02)

[Compare Source](pytest-dev/pytest@7.4.0...7.4.1)

## Bug Fixes

-   [#&#8203;10337](pytest-dev/pytest#10337): Fixed bug where fake intermediate modules generated by `--import-mode=importlib` would not include the
    child modules as attributes of the parent modules.

-   [#&#8203;10702](pytest-dev/pytest#10702): Fixed error assertion handling in `pytest.approx` when `None` is an expected or received value when comparing dictionaries.

-   [#&#8203;10811](pytest-dev/pytest#10811): Fixed issue when using `--import-mode=importlib` together with `--doctest-modules` that caused modules
    to be imported more than once, causing problems with modules that have import side effects.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi44LjExIiwidXBkYXRlZEluVmVyIjoiMzYuMTA3LjIiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIifQ==-->

Reviewed-on: https://git.apud.pl/jacek/adventofcode/pulls/32
Co-authored-by: Renovate <[email protected]>
Co-committed-by: Renovate <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

improve plugin list disclaimer soxofaan/pytest
4 participants
@soxofaan @RonnyPfannschmidt @The-Compiler @nicoddemus