alt Hacker NewsWith the recent high-profile attacks on PyPI packages, it’s no longer true that npm is the “only package manager where this regularly happens”.
In fact, pip is much more dangerous than npm because it lacks a lockfile. uv fixes that, but adoption is proceeding at a snail’s pace.
Replies
esafak • today at 2:11 AM
Apparently it does now: https://packaging.python.org/en/latest/specifications/pylock...
https://pip.pypa.io/en/stable/cli/pip_lock/
But who cares about pip, uv is here.
fragmede • today at 2:04 AM
I don't know about snails, but everything I'm in contact with has moved over to uv, and I can't imagine I'm the only one.
UV adoption is happening, though. NPM is still the only name in town.