Posit Package Manager 2023.12.0: Reporting and Blocking Security Vulnerabilities and More

The December release of Posit Package Manager adds native integration with the Open Source Vulnerabilities (OSV) database, plus Git Builders for Python packages and more.

The latest release of Posit Package Manager is now available and includes two highly-requested features as well as additional bug fixes and enhancements.


Security Vulnerability Reporting and Blocking


Many customers have asked us for an easy, effective way to help mitigate the risks of Python and R users unintentionally installing vulnerable packages. Building upon our existing Package Blocking framework, Posit Package Manager 2023.12.0 introduces native integration with the Open Source Vulnerabilities (OSV) database, a leading source of vulnerabilities in open-source libraries and packages. OSV continuously aggregates primary sources of package vulnerabilities, including for both PyPI and CRAN packages. Posit then processes these vulnerability updates and syncs them automatically to Package Manager.

Vulnerability details, along with associated CVE references where available, can be found on each package’s listing in the Package Manager web interface. Additionally, by adding one simple blocking rule, Package Manager will block all package versions with known vulnerabilities.


Blocked packages from PIPy on Posit Package Manager


Git Builders for Python Packages


Package Manager has long supported Git Builders for R packages, which monitor a public or internal Git-based repository and automatically build and publish a new version of the package to a Package Manager repository whenever the source is updated. This feature removes the burden of running your own CI/CD pipeline for teams developing custom packages. Posit Package Manager 2023.12.0 brings this same convenience to Python packages with Git Builders for Python packages.


Additional Improvements


We’ve also added several smaller, yet still highly-requested, improvements based on customer feedback:

  • R Git Builders will now attempt to build vignettes if the appropriate build tools are configured and enabled.
  • R and Python Git Builders will attempt to automatically detect an available interpreter if no path is set in the server configuration.
  • Local Python packages can now be added with the rspm add command, instead of requiring the twine package.
  • Blocklist rules can now be added or deleted in bulk, rather than only individually.

See the Release Notes for more details on all of these changes to Posit Package Manager. If you’re interested in securing your organization against vulnerabilities in Python and R packages with Posit Package Manager, visit here to learn more and schedule a demo.