PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python

TL;DR

This paper presents PyPitfall, a comprehensive analysis of vulnerable dependencies in the Python package ecosystem, revealing widespread security risks due to dependency chains in PyPI.

Contribution

It provides the first large-scale quantitative analysis of vulnerable dependencies in PyPI, highlighting the extent and impact of supply chain vulnerabilities in Python software.

Findings

4,655 packages explicitly depend on vulnerable versions

141,044 packages allow vulnerable versions within version ranges

Dependency chains pose significant security risks in Python ecosystem

Abstract

Python software development heavily relies on third-party packages. Direct and transitive dependencies create a labyrinth of software supply chains. While it is convenient to reuse code, vulnerabilities within these dependency chains can propagate through dependencies, potentially affecting down-stream packages and applications. PyPI, the official Python package repository, hosts many packages and lacks a comprehensive analysis of the prevalence of vulnerable dependencies. This paper introduces PyPitfall, a quantitative analysis of vulnerable dependencies across the PyPI ecosystem. We analyzed the dependency structures of 378,573 PyPI packages and identified 4,655 packages that explicitly require at least one known-vulnerable version and 141,044 packages that permit vulnerable versions within specified ranges. By characterizing the ecosystem-wide dependency landscape and the security impact of transitive dependencies, we aim to raise awareness of Python software supply chain security.