pip-env, pipe, pipes, sip, siv, lipo, etc
Are all within an edit distance of 4 from pip, and would all be blocked.
Besides 'dependecy confusion' is not typo-squatting at all. It is about having a public package that masks the name of a private package repo. The default behavior of pip is to then use the public repo, which can let outsiders who know internal package names totally take over those internal packages.
Besides 'dependecy confusion' is not typo-squatting at all. It is about having a public package that masks the name of a private package repo. The default behavior of pip is to then use the public repo, which can let outsiders who know internal package names totally take over those internal packages.