As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index. This year, we've focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPI every day, and responding to a number of security incidents with transparency.
We've implemented a new security feature designed to protect PyPI users from phishing attacks: email verification for TOTP-based logins from new devices.
PyPI package maintainers can now publish signed digital attestations when publishing, in order to further increase trust in the supply-chain security of their projects. Additionally, a new API is available for consumers and installers to verify published attestations.
Many projects have already begun publishing attestations, with more than 20,000 attestations already published.
This finalizes PyPI's support for PEP 740, and follows directly from previous work to add support for Trusted Publishing, as well as the deprecation and removal of PGP signatures.
Starting today, PyPI package maintainers can publish via Trusted Publishing from three additional providers:
These providers join existing support for publishing from GitHub Actions without long-lived passwords or API tokens, which we announced last year, and bring support for Trusted Publishing to even more hosted providers.
This is part one in a three-part series. See part two here, and part three here
We are proud to announce that PyPI has completed its first ever external security audit. This work was funded in partnership with the Open Technology Fund (OTF), a previous supporter of security-related improvements to PyPI.
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.