"Why does `twine upload` keep failing with 'HTTP 403: Invalid or non-existent authentication information'?"

Your API token is probably fucked. PyPI changed authentication in 2024 - legacy passwords are dead, and they didn't make it obvious in the UI. Fix it: ```bash # Generate a new API token at https://pypi.org/manage/account/token/ pip install twine twine upload dist/* --username __token__ --password pypi-your-actual-token-here ``` Pro tip: Store the token in `~/.pypirc` so you don't have to type that shit every time: ```ini [pypi] username = __token__ password = pypi-AgEIcHlwaS5vcmcyLongTokenStringHere ```

"My package uploaded but when I install it, Python can't find my modules. What the fuck?"

Your `pyproject.toml` is lying about where your code actually is. Classic mistake when switching from `setup.py`. This breaks: ```toml [build-system] requires = ["setuptools", "wheel"] [project] name = "mypackage" ``` This works: ```toml [build-system] requires = ["setuptools>=61.0", "wheel"] build-backend = "setuptools.build_meta" [project] name = "mypackage" dynamic = ["version"] [tool.setuptools.packages.find] where = ["src"] # Tell setuptools your code is in src/ ```

"How do I avoid publishing packages that some asshole can hijack?"

Use **Trusted Publishing** - it's GitHub Actions that directly authenticates with PyPI without storing tokens anywhere. Set it up: 1. In PyPI: Account Settings → Publishing → Add a new pending publisher 2. Fill out: your GitHub repo, workflow filename, environment name 3. In GitHub: Create a "pypi" environment with required reviewers 4. Use the [official PyPA GitHub Action](https://github.com/pypa/gh-action-pypi-publish) No more token bullshit, no more credential leaks.

"Someone created a typosquatting package that looks like mine. Now what?"

File a [PyPI support request](https://pypi.org/help/#file-support-requests) immediately with evidence. They take this shit seriously since the [December 2024 Ultralytics attack](https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/). Protect yourself: - Register common typos of your package name early - Monitor PyPI for similar names using [PyPI-Scout](https://github.com/nccgroup/pip-audit) - Set up Google Alerts for your package name

"'error: Microsoft Visual C++ 14.0 is required' when building wheels. Help?"

Windows package building is fucked by design. Your package probably has C extensions that need compilation. Quick fixes: ```bash # Option 1: Let PyPI build the wheels for you pip install build python -m build --wheel # Run this on multiple platforms # Option 2: Use cibuildwheel for automated multi-platform builds pip install cibuildwheel cibuildwheel --output-dir dist/ ``` Or just tell Windows users to use conda and save everyone the pain.

"I accidentally published my API keys in my package. How fucked am I?"

Pretty fucked, but recoverable if you move fast. [Leaked credentials](https://blog.gitguardian.com/secrets-api-management/) get scraped by bots within minutes - I've seen AWS keys get used before the commit notification email arrives. Damage control: 1. **Immediately** revoke the leaked credentials 2. Delete the release from PyPI (you have 30 minutes before it's cached forever) 3. Generate new credentials 4. Add the leaked keys to your `.gitignore` and use environment variables 5. Consider the compromised systems breached until proven otherwise

"How do I know if my dependencies are secure and won't break user installs?"

Use `pip-audit` to scan for vulnerabilities and `pipdeptree` to visualize dependency hell: ```bash pip install pip-audit pipdeptree safety pip-audit # Scans for known vulnerabilities pipdeptree --warn conflict # Shows dependency conflicts safety check # Alternative vulnerability scanner ``` Pin your dependencies with exact versions in production: ``` requests==2.31.0 # Not requests>=2.31.0 pandas==2.0.3 # Prevents surprise breakage ```

"My package builds fine locally but fails on different Python versions. What now?"

Testing on one Python version is like testing your code on localhost and calling it production-ready. Use [tox](https://tox.wiki/) to test multiple versions:```bashpip install tox# tox.ini [tox]envlist = py38,py39,py310,py311[testenv]deps = pytestcommands = pytest tests/```Or use GitHub Actions matrix builds:```yamlstrategy: matrix: python-version: ["3.8", "3.9", "3.10", "3.11"]```Common version-specific failures:- f-strings (Python 3.6+)- `pathlib.Path.readtext()` (Python 3.5+)- Type hints syntax changes- Deprecated standard library functions

"How do I handle package dependencies that conflict with each other?"

Welcome to dependency hell - the reason Docker exists. Check conflicts with `pipdeptree`:```bashpip install pipdeptreepipdeptree --warn conflict```Solutions that actually work:- **Loose pinning**: `requests>=2.28.0,<3.0.0` (allows patch updates)- **Dependency groups**: Use `[project.optional-dependencies]` for dev tools- **Version constraints**: Let pip's resolver figure it out, don't over-constrainAvoid exact pinning (`==`) unless you have a specific reason. It causes more problems than it solves.

"Someone forked my package, made minimal changes, and is republishing under a similar name. Legal?"

Probably legal if your license allows it, but shitty behavior. Document the original with clear attribution requirements:```python# In your __init__.py__author__ = "Your Name"__original__ = "https://github.com/yourusername/original-package" __license__ = "MIT"```MIT/BSD licenses require attribution. If they're not providing it, you have grounds for a DMCA takedown.

"I want to transfer ownership of my package but keep some control. How?"

PyPI supports multiple maintainers with different permission levels:1. Add co-maintainers: `Manage → Collaborators → Add collaborator`2. Set permissions: Owner (full access) vs Maintainer (can't delete project) 3. Document succession plan in README4. Use GitHub's "transfer repository" feature for the source codeDon't just abandon packages - either transfer ownership or mark them as deprecated. Abandoned packages become attack targets.

"How do I know if my package is being used in production somewhere important?"

Check reverse dependencies and download stats:- [Libraries.io](https://libraries.io/) shows what packages depend on yours- PyPI download stats: `pip install pypistats && pypistats overall mypackage` - GitHub's "Used by" tab shows dependent repositories- Search for your package name in GitHub code searchIf major companies depend on your package, consider:- More rigorous testing procedures- Security-focused development practices - Communication channels for security issues- Succession planning (bus factor > 1)High-impact packages get more scrutiny but also more responsibility.

Currently viewing the AI version

Switch to human version

PyPI Publishing Security Guide: AI-Optimized Reference

Critical Context & Threat Landscape

Current State: Malicious package attacks increased 200% in 2025. PyPI faces thousands of malicious packages uploaded monthly. Supply chain attacks are now standard threat vectors.

Major Incidents: December 2024 Ultralytics breach - Bitcoin mining malware injected into popular computer vision package through compromised GitHub Actions workflow.

Authentication & Access Control

API Token Issues

Problem: Legacy passwords disabled in 2024. Common failure: "HTTP 403: Invalid or non-existent authentication information"

Solution:

twine upload dist/* --username __token__ --password pypi-your-actual-token-here

Storage Configuration (~/.pypirc):

[pypi]
username = __token__
password = pypi-AgEIcHlwaS5vcmcyLongTokenStringHere

Trusted Publishing (Recommended)

Security Level: Eliminates token storage completely
Implementation Time: 5 minutes setup
Authentication Method: GitHub Actions OIDC with PyPI

Setup Process:

PyPI: Account Settings → Publishing → Add pending publisher
- Repository: username/package
- Workflow: publish.yml
- Environment: pypi
GitHub: Create protected environment pypi
- Settings → Environments → New environment
- Required reviewers (access control)
- Prevents unauthorized publishing
Workflow Configuration:

name: Publish to PyPI
on:
  release:
    types: [published]

jobs:
  publish:
    runs-on: ubuntu-latest
    environment: pypi
    permissions:
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - name: Build package
        run: |
          pip install build
          python -m build
      - uses: pypa/gh-action-pypi-publish@release/v1

Package Structure & Configuration

Modern Package Layout (src/ layout)

Critical Advantage: Prevents testing local code instead of installed package
Failure Prevention: Catches import errors before users encounter them

Structure:

myproject/
├── src/
│   └── mypackage/
│       ├── __init__.py
│       └── core.py
├── tests/
├── pyproject.toml
└── README.md

pyproject.toml Configuration

Status: setup.py is deprecated. pyproject.toml is the only modern standard.

Working Configuration:

[build-system]
requires = ["setuptools>=61.0", "wheel"]
build-backend = "setuptools.build_meta"

[project]
name = "mypackage"
version = "0.1.0"
description = "Does stuff without breaking"
authors = [{name = "Your Name", email = "you@domain.com"}]
license = {text = "MIT"}
dependencies = [
    "requests>=2.31.0,<3.0.0",  # Pin major versions
    "click>=8.0.0"
]
requires-python = ">=3.8"

[tool.setuptools.packages.find]
where = ["src"]  # Critical for src layout

Common Failure: Missing build-backend and where configuration causes module import failures.

Security Scanning & Vulnerability Management

Dependency Vulnerabilities

Primary Attack Vector: Most common compromise method
Scanning Tools:

pip install pip-audit
pip-audit  # Scans against PyPA Advisory Database
pip-audit --desc  # Shows vulnerability descriptions
pip-audit --fix   # Attempts to upgrade to safe versions

Workflow Security

Tool: zizmor - detects template injection attacks

pip install zizmor
zizmor .github/workflows/

CI Integration:

- name: Audit dependencies
  run: pip-audit --desc --format=json
- name: Audit workflows
  run: zizmor --format=json .github/workflows/

Version Management & Compatibility

Semantic Versioning Requirements:

1.0.0 → 1.0.1: Bug fixes (safe auto-update)
1.0.0 → 1.1.0: New features (probably safe)
1.0.0 → 2.0.0: Breaking changes (requires human review)

Automation:

pip install bump2version
bump2version patch  # 1.0.0 → 1.0.1
bump2version minor  # 1.0.1 → 1.1.0
bump2version major  # 1.1.0 → 2.0.0

Testing & Quality Assurance

Installation Testing

Critical Step: Test installed package, not local code

# Build and install in isolated environment
python -m build
pip install dist/*.whl --force-reinstall

# Verify installation
python -c "import mypackage; print(mypackage.__version__)"
python -m pytest tests/

Common Hidden Failures:

Missing __init__.py files
Incorrect package paths in pyproject.toml
Missing data files not included in MANIFEST.in
Import errors from incorrect module structure

Multi-Version Testing

Tool: tox for comprehensive Python version testing

# tox.ini
[tox]
envlist = py38,py39,py310,py311

[testenv]
deps = pytest
commands = pytest tests/

GitHub Actions Matrix:

strategy:
  matrix:
    python-version: ["3.8", "3.9", "3.10", "3.11"]

Dependency Management

Conflict Resolution

Diagnostic Tool:

pip install pipdeptree
pipdeptree --warn conflict

Best Practices:

Loose pinning: requests>=2.28.0,<3.0.0
Avoid exact pinning (==) unless specific reason
Use dependency groups: [project.optional-dependencies]

Cross-Platform Compatibility

Tool: cibuildwheel for universal wheels
Critical for: C extensions, Apple Silicon compatibility

# .github/workflows/wheels.yml
- name: Build wheels
  uses: pypa/cibuildwheel@v2.16.2
  env:
    CIBW_ARCHS_MACOS: x86_64 arm64  # Both Intel and M1
    CIBW_ARCHS_LINUX: x86_64 aarch64  # Both x64 and ARM

Release Process & Human Controls

Staging Workflow

Required Step: Test on TestPyPI before production

# Upload to TestPyPI
twine upload --repository testpypi dist/*

# Test installation
pip install --index-url https://test.pypi.org/simple/ mypackage

# Production upload only after verification
twine upload dist/*

Human Firewall Requirements

Code review: All changes require PR approval
Protected environments: Only trusted maintainers can publish
Release checklist: Documented manual verification steps
Fresh environment testing: Test wheel installation on clean Python environment

Threat Response & Incident Management

Credential Compromise

Timeline: Leaked credentials get scraped within minutes
Response Protocol:

Immediately revoke leaked credentials
Delete PyPI release (30-minute window before permanent caching)
Generate new credentials
Add leaked keys to .gitignore, use environment variables
Consider compromised systems breached until proven otherwise

Typosquatting Protection

Monitoring:

Register common typos early
Use PyPI-Scout for similar name monitoring
Set up Google Alerts for package name

Response: File PyPI support request immediately with evidence

Package Abandonment

Requirements: Either transfer ownership or mark deprecated
Reason: Abandoned packages become attack targets

Production Package Considerations

High-Impact Package Responsibilities

Indicators:

Major company dependencies (check Libraries.io)
High download statistics (pypistats)
GitHub "Used by" tab shows critical projects

Additional Requirements:

More rigorous testing procedures
Security-focused development practices
Communication channels for security issues
Succession planning (bus factor > 1)

Corporate Security Compliance

Common Flags:

Network requests
File system access
Dependencies with CVEs
Unknown publisher

Documentation Template:

## Security Information
This package:
- ✅ Makes HTTPS requests to api.example.com only
- ✅ Reads/writes files only in user-specified directories
- ✅ Dependencies scanned with pip-audit (see CI results)
- ✅ Published via GitHub Actions with signed commits
- ❌ Does NOT access sensitive system resources
- ❌ Does NOT make unexpected network connections

Deprecation Management

Breaking Change Timeline

Version 1.5.0: Add deprecation warnings
Version 1.6.0: Increase warnings, update documentation
Version 2.0.0: Remove deprecated features

Implementation:

import warnings

def old_function():
    warnings.warn(
        "old_function() is deprecated, use new_function() instead. "
        "This will be removed in version 2.0.0",
        DeprecationWarning,
        stacklevel=2
    )
    return new_function()

Minimum Timeline: 3 months and 2 minor versions for migration

Publishing Method Comparison

Method	Security Risk	Maintenance Burden	Best Use Case	Critical Weakness
Manual twine	Token storage vulnerability	High - constant token rotation	Learning/one-offs	Human error prone
GitHub Actions (token)	Secret leakage risk	Medium - token management	Legacy workflows	Token compromise
Trusted Publishing	Minimal - no stored secrets	Low - automatic auth	Production packages	Requires GitHub/PyPI setup
Local build	High - dev machine compromise	Very high - bus factor of 1	Emergency fixes only	Single point of failure

Essential Toolchain

Security Tools

pip-audit: PyPA Advisory Database scanning
zizmor: GitHub Actions security analysis
safety: Commercial vulnerability database
bandit: Python code security analysis

Build Tools

build: Modern package builder (replaces setup.py)
cibuildwheel: Multi-platform wheel building
twine: Package uploading

Testing Tools

tox: Multi-version Python testing
pytest: Test framework
pipdeptree: Dependency conflict analysis

Monitoring Tools

pypistats: Download analytics
Libraries.io: Reverse dependency tracking
PyPI-Scout: Typosquatting monitoring

Resource References

Critical Resources

PyPI Help: Official troubleshooting
Trusted Publishing Guide: Token-free publishing
PyPI Support: Malicious package reporting
Python Infrastructure Status: Service availability

Security Resources

PyPI Blog: Security announcements
Python Vulnerability Database: Known vulnerabilities
Sonatype Security Research: Malicious package analysis

Development Resources

PyPA Sample Project: Reference implementation
pyOpenSci Packaging Guide: Modern best practices
TestPyPI: Staging environment

Useful Links for Further Investigation

Essential Resources for Package Publishing

Link	Description
PyPI Help & FAQ	Official troubleshooting when shit breaks
Python Packaging User Guide	The canonical reference, not always up to date
Trusted Publishing Guide	How to publish without storing tokens
PyPI Terms of Use	Legal requirements for package publishing
pip-audit	Scan dependencies for known vulnerabilities
zizmor	Find GitHub Actions security issues
safety	Alternative vulnerability scanner with commercial DB
Bandit	Find security issues in your Python code
build	Modern package builder, replaces `setup.py`
cibuildwheel	Build wheels for all platforms automatically
PyPI Support	Report malicious packages, security issues, account problems
Stack Overflow pypi tag	Where you'll be debugging at 3am
Python Infrastructure Status	Check if PyPI is down before panicking
GitHub Actions PyPI Publish	Official action for Trusted Publishing
Pre-commit hooks	Catch issues before they hit CI
tox	Test your package across Python versions
nox	More flexible alternative to tox
PyPA GitHub Organization	Where Python packaging tools are developed
pyOpenSci Packaging Guide	Comprehensive guide with modern best practices
PyPI Blog	Security announcements and policy changes
Sonatype Security Research	Reports on malicious package campaigns
Checkmarx Supply Chain Security	Analysis of package repository attacks
TestPyPI	Staging environment for testing uploads
pypistats	Download statistics and usage analytics
Libraries.io	See what depends on your package
Snyk Advisor	Package health and security scores
PyPA Sample Project	Reference implementation of modern packaging
Python Package Template	Cookiecutter with CI/CD setup
Hypermodern Python	Best practices guide with working examples
MITRE CVE Database	Check if vulnerabilities have CVE numbers assigned
Python Vulnerability Database	Browse known security vulnerabilities in Python packages
PyPI Security Reporting	Guidelines for reporting security issues

Related Tools & Recommendations

compare

Similar content

Uv vs Pip vs Poetry vs Pipenv - Which One Won't Make You Hate Your Life

I spent 6 months dealing with all four of these tools. Here's which ones actually work.

/compare/uv-pip-poetry-pipenv/performance-comparison

100%

tool

Similar content

Python Dependency Hell - Now With Extra Steps

pip installs random shit, virtualenv breaks randomly, requirements.txt lies to you. Pipenv combines all three tools into one slower tool.

Pipenv

/tool/pipenv/overview

90%

tool

Similar content

Stop Conda From Ruining Your Life

I wasted 6 months debugging conda's bullshit so you don't have to

Conda

/tool/conda/performance-optimization

85%

integration

Recommended

GitHub Actions + Jenkins Security Integration

When Security Wants Scans But Your Pipeline Lives in Jenkins Hell

GitHub Actions

/integration/github-actions-jenkins-security-scanning/devsecops-pipeline-integration

71%

tool

Similar content

uv - Python Package Manager That Actually Works

Discover uv, the high-performance Python package manager. This overview details its core functionality, compares it to pip and Poetry, and shares real-world usa