search

codecov / python-standard

Codecov coverage standard for Python
MIT License
14 stars 21 forks source link

Codecov disappeared in PyPI? #31

Closed danbaron63 closed 1 year ago

danbaron63 commented 1 year ago

Codecov appears to have disappeared from PyPI?

> pip install codecov==2.1.12
Collecting codecov==2.1.12
  ERROR: Could not find a version that satisfies the requirement codecov==2.1.12 (from versions: none)
ERROR: No matching distribution found for codecov==2.1.12

Has this been intentionally removed and when do we expect it to be available again?

Thanks! DB

khaeru commented 1 year ago

Having re-read the deprecation notices, there appears to be no statement that the package would be deleted from PyPI, or of a date on which this would occur.

The result is that all packages on PyPI which depend on codecov are not installable. A less disruptive move would have been to push another, essentially empty version of the package, and then yank the older, insecure versions. This would have allowed existing packages to be installed, albeit with perhaps degraded behaviour or loss of functionality.

jklaise commented 1 year ago

Having re-read the deprecation notices, there appears to be no statement that the package would be deleted from PyPI, or of a date on which this would occur.

The result is that all packages on PyPI which depend on codecov are not installable. A less disruptive move would have been to push another, essentially empty version of the package, and then yank the older, insecure versions. This would have allowed existing packages to be installed, albeit with perhaps degraded behaviour or loss of functionality.

Happy to be corrected, but I believe deleting the PyPi package is also a major security issue as I think anyone can now snap up codecov with a malicious package that would be installed on many systems currently depending on codecov.

Edit: according to this, it should at least be impossible to register a new package under codecov https://community.codecov.com/t/codecov-yanked-from-pypi-all-versions/4259

thomasrockhu-codecov commented 1 year ago

Sorry all, I didn't see this issue until now. To resolve this, we did push back up 2.1.13 as a final legacy package. We highly recommend moving away from the python package to our currently uploader or the CLI.

We put up a message about this pull here, and I'm extremely sorry for the disruption and headaches this might have caused.