| ▲ | pixel_popping 5 hours ago | |
Yeah, pin the malware :p | ||
| ▲ | rvz 4 hours ago | parent [-] | |
Nope. Those on pinned versions don't get the malware. You would have to publish the infected package first to infect others who haven't pinned their dependencies. With a simple pip install -U, and if the dependency is not pinned, then they will get the vulnerable version. | ||