Closed AetherUnbound closed 1 year ago
@AetherUnbound the package was not compromised. A new maintainer was recently onboarded (so the 'MAINTAINERS NEEDED' bit might be outdated) and on 2022-12-02, built wheels were added to the package.
Pipenv fails to install the package because it prefers wheels over the source, but then compares the hash of the wheels to the hash of the source recorded in Pipfile.lock
.
Thank you for looking into that more thoroughly @dhruvkb!
Description
It seems that the current set of packages fails to install:
The package in question has the note "MAINTAINERS NEEDED" on it, which gives me concern that this could have been compromised: https://github.com/lepture/python-livereload
Reproduction
just build --no-cache
Additional context
This was first identified in https://github.com/WordPress/openverse-api/pull/1057 (specifically https://github.com/WordPress/openverse-api/actions/runs/3767784439/jobs/6405648796).