diff --git a/docs/blog/posts/2025-12-31-pypi-2025-in-review.md b/docs/blog/posts/2025-12-31-pypi-2025-in-review.md new file mode 100644 index 000000000000..8bc11638e828 --- /dev/null +++ b/docs/blog/posts/2025-12-31-pypi-2025-in-review.md @@ -0,0 +1,122 @@ +--- +title: "PyPI in 2025: A Year in Review" +description: "A look back at the major changes to PyPI in 2025." +authors: + - di +date: 2025-12-31 +tags: +- new features +- security +- organizations +--- + +As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index. This year, we've focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPI every day, and responding to a number of security incidents with transparency. + + + +But first, let's look at some numbers that illustrate the scale of PyPI in 2025: + +* **[NUMBER]** new files published +* **[NUMBER]** new projects created +* **[NUMBER]** petabytes of data transferred +* **[NUMBER]** billions of requests served + +These numbers are a testament to the continued growth and vibrancy of the Python community. As always, a huge thanks to our [sponsors](https://pypi.org/sponsors/) who make this kind of scale possible. + +Let's dive into some of the key improvements we've made to PyPI this year. + +## Security First, Security Always + +Security is our top priority, and in 2025 we've shipped a number of features to make PyPI more secure than ever before. + +### Enhanced Two-Factor Authentication (2FA) for Phishing Resistance + +We've made significant improvements to our 2FA implementation, starting with **[email verification for TOTP-based logins](/posts/2025-11-14-login-verification.md)**. This adds an extra layer of security to your account by requiring you to confirm your login from a trusted device, when using a phishable 2FA method like TOTP. + +Since rolling out these changes, we've seen: + +* **[PERCENTAGE]%** of active users with non-phishable 2FA enabled. +* **[NUMBER]** total unique verified logins. + +### Trusted Publishing and Attestations + +**[Trusted publishing](/posts/2025-11-10-trusted-publishers-coming-to-orgs.md)** continues to be a cornerstone of our security strategy. This year, we've expanded support to include **GitLab Self-Managed instances**, allowing maintainers to automate their release process without needing to manage long-lived API tokens. We've also introduced support for **custom OIDC issuers for organizations**, giving companies more control over their publishing pipelines. + +Adoption of trusted publishing has been fantastic: + +* **[NUMBER]** of projects are now using trusted publishing. +* **[PERCENTAGE]%** of all uploads to PyPI in the last year were done via trusted publishers. + +We've also been hard at work on **attestations**, a new security feature that allows publishers to make verifiable claims about their software. We've added support for attestations from all Trusted Publishing providers, and we're excited to see how the community uses this feature to improve the security of the software supply chain. + +* **[PERCENTAGE]%** of all uploads to PyPI in the last year that included an attestation. + +### Proactive Security Measures + +Beyond user-facing features, we've also implemented a number of proactive security measures to protect the registry from attack. These include: + +* **Phishing Protection:** To combat the ongoing threat of phishing attacks, PyPI now [detects and warns users about untrusted domains](/posts/2025-07-28-pypi-phishing-attack.md). +* **Improved ZIP file security:** We've hardened our upload pipeline to [prevent a class of attacks involving malicious ZIP files](/posts/2025-08-07-wheel-archive-confusion-attacks.md). +* **Typosquatting detection:** PyPI now automatically detects and flags potential typosquatting attempts during project creation. Since enabling this feature, we've proactively blocked **[NUMBER]** of suspicious project names. +* **Domain Resurrection Prevention:** We now periodically check for expired domains to [prevent domain resurrection attacks](/posts/2025-08-18-preventing-domain-resurrections.md). +* **Spam Prevention**: We've taken action against spam campaigns, including [temporarily prohibiting registrations from specific domains](/posts/2025-06-15-prohibiting-inbox-ru-emails.md) that were the source of abuse. + +## Transparency and Incident Response + +This year, we've also focused on providing transparent and timely information about security incidents affecting the PyPI ecosystem. We've published detailed incident reports on a number of events, including: + +* An issue with [privileges persisting in Organization Teams](/posts/2025-04-14-incident-report-organization-team-privileges.md). +* A widespread [phishing attack targeting PyPI users](/posts/2025-07-31-incident-report-phishing-attack.md). +* A [token exfiltration campaign via GitHub Actions workflows](/posts/2025-09-16-github-actions-token-exfiltration.md). +* The potential implications of the ["Shai-Hulud" attack on the npm ecosystem](/posts/2025-11-26-pypi-and-shai-hulud.md). + +We believe that transparency is key to building and maintaining trust with our community, and we'll continue to provide these reports as needed. + +## Saftey and Support Requests + +This year, our saftey & support team and administrators have been working diligently to address user requests and combat malware to maintain a healthy ecosystem. We're proud to report significant progress in handling various types of support inquiries and improving our malware response. + +### Malware Response + +We've continued to improve our malware detection and response capabilities. This year, we've processed **more than 2000 malware reports**. This is a testament to the vigilance of our community and the dedication of our administrators. + +Our goal is to reduce the time it takes to remove malware from PyPI, and we're happy to report that we're making significant progress: +in the last year, 66% of all reports were handled within 4 hours, climbing to 92% within 24 hours, with only a few more complex issues reaching the maximum of 4 days to remediate. + +### Support Requests + +Our support team has also been hard at work making sure our users can continue to be effective on PyPI. This year, we've successfully resolved **2221** individual account recovery requests. + +We've also handled more than 500 project name retention sequests (PEP 541). This includes an average first triage time less than 1 week. This is a significant improvement compared to the previous 9-month backlog, and we're happy to report that the backlog is current for the month of December. + +## Introducing Organizations + +One of our biggest announcements this year was the general availability of **Organizations** on PyPI. Organizations provide a way for companies and community projects to manage their packages, teams, and billing in a centralized location. + +The response has been overwhelming: + +* **[NUMBER]** of organizations have been created on PyPI. +* **[NUMBER]** of projects are now managed by organizations. + +We've been hard at work adding new features to Organizations, including team management, project transfers, and a comprehensive admin interface. We're excited to see how organizations use these features to streamline their workflows and collaborate more effectively. + +## A Better PyPI for Everyone + +Finally, we've made a number of improvements to the overall maintainer experience on PyPI. These include: + +* **Project Lifecycle Management:** You can now [archive your projects](/posts/2025-01-30-archival.md) to signal that they are no longer actively maintained. This is part of a larger effort to standardize [project status markers as proposed in PEP 792](2025-08-14-project-status-markers.md). +* **New Terms of Service:** We've introduced a new [Terms of Service](/posts/2025-02-25-terms-of-service.md) to formalize our policies and enable new features like Organizations. + +## Looking Ahead to 2026 + +We're proud of the progress we've made in 2025, but we know there's always more to do. In 2026, we'll continue to focus on improving the security, stability, and usability of PyPI for the entire Python community. + +## Acknowledgements + +We'd like to extend a special thank you to a few individuals who made significant contributions to PyPI this year. Thank you to **William Woodruff**, **Facundo Tuesca**, and **Seth Michael Larson** for your work on trusted publishing, attestations, project archival, zipfile mitigation, and other security features. + +PyPI wouldn't be what it is today without the countless hours of work from our community. A huge thank you to everyone who contributed code, opened an issue, or provided feedback this year. As always, we're grateful for the contributions of our community, whether it's through code, documentation, or feedback. PyPI wouldn't be what it is today without you. + +Here's to a great 2026! + +-- _Dustin Ingram, on behalf of the PyPI team._