Would you feel better with a script containing eval(requests.get(“http://pypi.org/foo.py”)) ?
It’s the script contents that count, not just dependencies.
Deno-style dependency version pinning doesn’t solve this problem unless you check every hash.
Would you feel better with a script containing eval(requests.get(“http://pypi.org/foo.py”)) ?
It’s the script contents that count, not just dependencies.
Deno-style dependency version pinning doesn’t solve this problem unless you check every hash.