Latest Publications

The latest from PyUp's product and Cybersecurity Intelligence (CSI) teams.

Discontinuation of Safety CI for free users

Prior to August 1, 2022, PyUp offered a free edition of Safety CI, allowing users to scan their public GitHub Repositories against our commercial Python vulnerability database. All users without …

List of Malicious and Pytosquatting Packages in PyPI

Research & written by Sebastian Chnelik - PyUp Cybersecurity Intelligence Team The PyUp Cybersecurity Intelligence team spends all day every day finding undiscovered or unpublished security vulnerabilities in over 400,000 …

Log4j Security Incident

Special Vulnerability Advisory Last updated: 3 January 2022, 11:13am PST. Check your project doesn’t use Log4j directly or indirectly. If it does, Log4j versions 2.3.2 (Java 6), 2.12.4 (Java 7), …

A Patched Vulnerability in PyUp’s “Safety” Open-Source Command-Line Tool (CVE-2020-5252)

At PyUp, we take the security of our users and their systems very seriously. That’s why we are informing you right away about a vulnerability that one of our …

Finding security vulnerabilities in third party packages

Around a year and a half ago, we started building up a security database for third party Python packages. This allows us to give users fine grained control about what …

Analyzing Django requirement files on GitHub

Django is the most popular Python web framework. It is now almost 12 years old and is used on all kinds of different projects. From small to super large, from …

Pipfiles, pipenv and Docker

Exciting times in Python. With the recent introduction of Pipfiles and the new pipenv library it's time to rewrite our Dockerfiles to leverage all the goodness of modern Python packaging. …

Don't trust user input

While I was working on pyup.io's database for known security vulnerabilities, I've manually reviewed thousands of changelogs and commits over a couple of weeks. A lot of the security issues …