Skip to content

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

docs: clarify dependency-confusion warning refers to --extra-index-url #13611

wants to merge 5 commits into from
+6 −6

Conversation

isaacaman
Copy link

This small docs change makes it explicit that the dependency-confusion warning applies to the --extra-index-url option. The previous wording ("Using this option...") can be ambiguous in the surrounding examples.
No code changes — docs-only fix. Closes #13609.

@isaacaman
docs: clarify dependency-confusion warning refers to --extra-index-url
c869ea5 
Make the warning in the pip install docs explicitly name --extra-index-url
so readers cannot misinterpret which option the warning refers to.
@sepehr-rs
Copy link
Contributor

Hi @isaacaman, thanks a lot for your contribution to pip!
I'm not part of the triage team yet, so you'll need to wait for an official answer from them.
In the meantime, I noticed that your PR is missing a news file. You can find more details about it here.
If anything about the process is unclear, please feel free to ask.

@isaacaman
Copy link
Author

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

@sepehr-rs
Copy link
Contributor

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you!
I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here.
Please let me know if you need any assistance fixing the pre-commit errors.

@isaacaman
Copy link
Author

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

@sepehr-rs
Copy link
Contributor

Hello @sepehr-rs, thanks for the review and for pointing that out. I’ve added a news fragment at news/13609.doc.rst in this branch. Please tell me if you'd like me to do something else.

Thank you! I think the pre-commit check is failing because your news file is missing a newline at the end. You can see more details in the report here. Please let me know if you need any assistance fixing the pre-commit errors.

Wow, All checks are green now 🎉 Thanks a lot!

Great! Now it should be just a matter of waiting for a maintainer to review and give the final approval.

sepehr-rs
sepehr-rs reviewed Oct 3, 2025
View reviewed changes
docs/html/cli/pip_install.rst Outdated
will ensure it gets chosen over the private package.
Using the ``--extra-index-url`` option to search for packages which are
not in the main repository (for example, private packages) is unsafe.
This is a class of security issue known as dependency confusion — an
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick question, is there a reason you chose to remove the https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/ link here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it accidentally, I'll add it right now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

pfmoore
pfmoore reviewed Oct 3, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pfmoore pfmoore pfmoore left review comments

+1 more reviewer

@sepehr-rs sepehr-rs sepehr-rs left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
bot:chronographer:provided
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve warning in pip install documentation
3 participants
@isaacaman @sepehr-rs @pfmoore