PyPI has launched a new 'Project Archival' system, enabling developers to mark projects as archived, signaling users that no future updates or maintenance will occur. Archived projects remain accessible for download but display a warning about their maintenance status to help users make informed decisions about dependencies.
This feature aims to mitigate security risks posed by abandoned projects, which are often targeted by attackers to push malicious updates. It also helps reduce support requests by clearly communicating project lifecycle status.
Maintainers can release a final version with explanations before archiving, though it’s optional, and they may unarchive projects if they resume development.
The system, built on a LifecycleStatus model, will eventually support statuses like 'deprecated' and 'feature-complete' to offer more clarity about project conditions.
Overall, this initiative improves transparency in open-source maintenance, making it easier for developers to identify secure and actively maintained dependencies.
Read more...
Logging you in...
Loading IntenseDebate Comments...