@semanur-prenuvo, you asked some questions about aws-sso-lib security over on https://github.com/boto/botocore/issues/1923. This is a better place for discussion. What specifically do you want to know? I would estimate the supply chain security of aws-sso-lib to be a bit above average (MFA on everything, few transitive dependencies), but also not as maximal as I'm sure some high-profile projects have (e.g., I have not gotten around to signing my commits, or if someone managed to compromise the PyPI repo and publish a rogue version I'm not sure how I'd become aware other than user reports). I would note my aws-assume-role-lib has been designated a "critical" project on PyPI, which carries some security requirements like mandatory MFA, and those requirements cover all my projects including aws-sso-lib.
@semanur-prenuvo, you asked some questions about
aws-sso-libsecurity over on https://github.com/boto/botocore/issues/1923. This is a better place for discussion. What specifically do you want to know? I would estimate the supply chain security ofaws-sso-libto be a bit above average (MFA on everything, few transitive dependencies), but also not as maximal as I'm sure some high-profile projects have (e.g., I have not gotten around to signing my commits, or if someone managed to compromise the PyPI repo and publish a rogue version I'm not sure how I'd become aware other than user reports). I would note myaws-assume-role-libhas been designated a "critical" project on PyPI, which carries some security requirements like mandatory MFA, and those requirements cover all my projects includingaws-sso-lib.