Deleted dependency detected

[ashishbijlani]

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I found that this repo is vulnerable to attack due to deleted dependency from the public PyPI registry.

Details

Specifically, file https://github.com/yardencsGitHub/tweetynet/blob/eab406f0590f4e90a36530cada52a78b0c676a80/article/pyproject.toml lists projroot as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution.

Impact

Not only your apps/services using https://github.com/yardencsGitHub/tweetynet repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please manually register a placeholder projroot package on PyPI immediately or remove projroot dependency from https://github.com/yardencsGitHub/tweetynet/blob/eab406f0590f4e90a36530cada52a78b0c676a80/article/pyproject.toml to fix this vulnerability.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

[NickleDave]

The name of the package is pyprojroot not projroot and it's on PyPI right here: https://pypi.org/project/pyprojroot/

That's how it's written in the pyproject.toml file https://github.com/yardencsGitHub/tweetynet/blob/eab406f0590f4e90a36530cada52a78b0c676a80/article/pyproject.toml#L25

If you're going to raise issues trying to get people to buy your product, at least get the package names right