Package Details: pypiserver 2.4.1-1

Git Clone URL: https://aur.archlinux.org/pypiserver.git (read-only, click to copy)
Package Base: pypiserver
Description: Minimal PyPI server for uploading and downloading packages with pip/easy_install
Upstream URL: https://github.com/pypiserver/pypiserver
Licenses: MIT, zlib
Submitter: carsme
Maintainer: meryemplath
Last Packager: tippfehlr
Votes: 0
Popularity: 0.000000
First Submitted: 2025-12-26 12:34 (UTC)
Last Updated: 2026-06-11 16:44 (UTC)

Dependencies (17)

Sources (1)

Latest Comments

ilai commented on 2026-06-11 15:57 (UTC)

[MALICIOUS PACKAGE]

I orphaned this package yesterday.

meryemplath took ownership today and immediately pushed commit 70ef20c84550 impersonating me, adding a malicious post-install script. It installs atomic-lockfile, a NPM package that executes a binary blob as post-install script.

There is no reason NPM should be a dependency for pypiserver.

pfrenssen commented on 2026-06-05 06:22 (UTC) (edited on 2026-06-05 06:24 (UTC) by pfrenssen)

This cannot be installed due to an incompatibility between python-passlib and bcrypt 5.x.

ValueError: password cannot be longer than 72 bytes, truncate manually if necessary

Since python-passlib is no longer maintained, work is underway to switch to a fork in https://gitlab.archlinux.org/archlinux/packaging/packages/python-passlib/-/work_items/2