New PyPI project archiving system aims to curb open-source security risks

Mounting cybersecurity risks stemming from abandoned software projects have prompted the Python Package Index to unveil the new Project Archival system that enables project owners to archive projects that will no longer be updated or maintained, reports BleepingComputer.

While the archived projects remain available for download, users will be provided a warning banner to help them make informed dependency choices. PyPI aims to enhance supply-chain security by preventing attackers from hijacking abandoned projects and injecting malicious updates. The system, developed by TrailofBits, operates through a LifecycleStatus model that lets maintainers archive or unarchive projects at any time. PyPI is also planning to introduce additional statuses like "deprecated" and "unmaintained" to further clarify project conditions. The feature improves transparency in open-source software, reducing risks for developers while minimizing support requests. PyPI recommends maintainers release a final version with archiving details, although it is not required. This move is expected to strengthen security and communication in the open-source ecosystem.