Archived projects remain available on PyPI, but users will see a warning that should help them to make decisions about which packages they depend on.
The new feature boosts the supply-chain security in the PyPI ecosystem since hacking developer accounts and distributing malicious updates to abandoned (but still popular!) projects are a common hackers’ trick.
In addition, the introduced system is expected to increase transparency and reduce support requests from users by clearly notifying them of the project’s status. Projects marked as “archived” should prompt developers to look for alternative dependencies actively supported by their authors, rather than rely on outdated and potentially unsafe projects.
According to Trail of Bits, the team behind the project archival system, maintainers can now mark their projects as “archived”, thus, notifying users that no updates, fixes, or support can be expected.
Importantly, the project owners can unarchive a project any time if needed.
The new system utilizes the LifecycleStatus model originally designed to quarantine projects. It includes a mechanism making it possible to change the project status. In the future, Trail of Bits intends to add more statuses, including deprecated, feature-complete, and unmaintained.
