Posit Package Manager 2023.04.0: Curated PyPI repos and more

Text: "Product Update. Posit Package Manager 2023.05. What's New". An image of the Posit Package Manager logo and the PyPi repository logo.

We’re pleased to announce several new features in the latest release of Posit Package Manager that provide administrators with greater control over the open-source packages available in internal R and Python repositories.

Posit Package Manager provides secure, reliable package management optimized for open-source data science teams using R and Python, hosted within your firewall. You can find all of the changes in the 2023.04.0 release of Package Manager in our Release Notes. In this post, we’ll highlight some new features for both Python and R users.


Curated PyPI Repositories

There are over 450,000 packages available on PyPI today, and many organizations want to mitigate the risks associated with making every package available for use. Now, Package Manager lets you give your Python users access to only the packages they need – and you trust.

Choosing a version of the pandas package from Posit Package Manager

Choose the specific PyPI packages and versions you want to make available via a standard Python requirements.txt file and curate those packages into a custom repository that your users can install from using standard Python tools like pip. See Curated PyPI Sources in the Admin Guide for more information


Block unwanted packages with Package Blocking

Previously, Posit Package Manager allowed administrators to create curated repositories of R packages by providing an “allowlist” of packages that must be included in the repository and blocking everything else. However, to maximize usability, sometimes you want to give your data scientists full access to everything CRAN or PyPI has to offer – except known risks.

Now you can block specific packages or versions from being installed from Package Manager to prevent harm without otherwise having to limit which packages your users can install. Administrators can add package blocking rules individually or push rules remotely from their own scanning tools via the command line interface. Read more about Package Blocking in our Admin Guide.


Block packages by open-source license

With Package Blocking, one of our most-requested features for Posit Package Manager is now available! Many organizations want to restrict access to packages that use specific open-source license types like AGPL. Now you can ensure compliance with internal policies regarding the use of open-source licenses by blocking access to CRAN or PyPI packages based on their license.

A blocked demo package on Posit Package Manager

Block packages that contain a specific license or other text in their license field, or create exceptions to allow packages with specific licenses. For example, to block all packages containing ‘AGPL’ in their license field:

$ rspm create blocklist-rule --license='AGPL' \
    --description="Block all packages containing 'AGPL' in their license field"

Or to only allow CRAN packages with an Apache 2.0 or MIT license:

$ rspm create blocklist-rule --source=cran --description='Block all CRAN packages'

$ rspm create blocklist-rule --source=cran --license-types='Apache-2.0,MIT' \
    --exception \
    --description='Only allow CRAN packages with an Apache 2.0 or MIT license'

We’ve provided a set of examples in our documentation showing you how to use these new features to block packages by license type.

Posit Package Manager 2023.04.0 is now available to help administrators and other data science operations professionals manage the risks associated with open-source packages while providing a great experience for end users developing in R and Python. When you’re ready to upgrade, download the latest version from our documentation. If you’re interested in learning how Package Manager can help you within your organization, learn more and book a demo here.