From 67a348cb1456403525aa86d1c4dcb7ab4988bd55 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Fri, 27 Jan 2023 12:45:18 +0100 Subject: [PATCH 1/2] Use `--index-url` in PyPi description --- templates/package/content/pypi.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/package/content/pypi.tmpl b/templates/package/content/pypi.tmpl index 1cce31f537bfa..1ae243813de65 100644 --- a/templates/package/content/pypi.tmpl +++ b/templates/package/content/pypi.tmpl @@ -4,7 +4,7 @@
- 
pip install --extra-index-url {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/pypi/simple {{.PackageDescriptor.Package.Name}}
+ 
pip install --index-url {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/pypi/simple {{.PackageDescriptor.Package.Name}}
From 5c39bcc0e0eff5d28e1fe905d6d49e1e7dce3428 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Fri, 27 Jan 2023 12:50:46 +0100 Subject: [PATCH 2/2] Add warning in docs. --- docs/content/doc/packages/pypi.en-us.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/doc/packages/pypi.en-us.md b/docs/content/doc/packages/pypi.en-us.md index 588df71d60c27..ec2475aea346f 100644 --- a/docs/content/doc/packages/pypi.en-us.md +++ b/docs/content/doc/packages/pypi.en-us.md @@ -77,6 +77,8 @@ For example: pip install --index-url https://testuser:password123@gitea.example.com/api/packages/testuser/pypi/simple --no-deps test_package ``` +You can use `--extra-index-url` instead of `--index-url` but that makes you vulnerable to dependency confusion attacks because `pip` checks the official PyPi repository for the package before it checks the specified custom repository. Read the `pip` docs for more information. + ## Supported commands ```