Yeah, pin the malware :p
replyNope. Those on pinned versions don't get the malware.
replyYou would have to publish the infected package first to infect others who haven't pinned their dependencies. With a simple pip install -U, and if the dependency is not pinned, then they will get the vulnerable version.
I think it was a jab at the statement "if I pin the dep, I am safe". How do you know your current code is not compromised? No one reads all the code they run, anyway.
replyThere is always a risk that at the time that you pinned, the code was already compromised, but it lowers your attack surface to pin. As long as you've pinned while the code was not compromised, then someone changing the package for an already pinned version will fail the install because hash check fails.
replyIt's "if I pin the dep, I know that someone won't compromise the package repo and the next time I install 2.6.3 I can be sure that the same package is getting downloaded and installed."
This specific risk isn't just not having things version pinned. It's not having a hash of the package to check against to make sure you're getting the same package every time.