PyPI in 2025: A Year in Review

Published: 1 day ago (December 31, 2025 at 02:08 PM EST)

5 min read

Source: Hacker News

Source: Hacker News

Tags:
new features •
organizations •
security

Key Numbers

3.9 million new files published
130,000 new projects created
1.92 exabytes of total data transferred
2.56 trillion total requests served
81,000 requests per second on average

These numbers testify to the continued growth and vibrancy of the Python community.

Key Improvements

Improvement 1 – Brief description of the first improvement.
(Add any relevant details, metrics, or examples here.)
Improvement 2 – Brief description of the second improvement.
(Include supporting information such as screenshots, before/after comparisons, or performance data.)
Improvement 3 – Brief description of the third improvement.
(Explain the impact on users, stakeholders, or the system.)
Improvement 4 – Brief description of the fourth improvement.
(Mention any dependencies, rollout plans, or next steps.)

Example Code Snippet

# Replace this placeholder with the actual code you want to showcase
def example_function(param):
    """
    Brief docstring describing what the function does.
    """
    # TODO: implement the function logic
    return param

Feel free to expand each bullet point with the specific details you want to highlight.

Security First, Security Always

Security is our top priority, and in 2025 we’ve shipped a number of features that make PyPI more secure than ever.

Enhanced Two‑Factor Authentication (2FA) for Phishing Resistance

We’ve made significant improvements to our 2FA implementation, starting with email verification for TOTP‑based logins. This adds an extra layer of protection by requiring you to confirm a login from a trusted device when using a phishable 2FA method such as TOTP.

Since rolling out these changes we’ve seen:

52 % of active users now have non‑phishable 2FA enabled.
45 000+ unique verified logins.

Trusted Publishing and Attestations

Trusted publishing remains a cornerstone of our security strategy. This year we expanded support to include GitLab Self‑Managed instances, letting maintainers automate releases without long‑lived API tokens. We also added custom OIDC issuers for organizations, giving companies tighter control over their publishing pipelines.

Adoption of trusted publishing has been fantastic:

Metric	Value
Projects using trusted publishing	50 000+
Share of file uploads via trusted publishers	20 %

We’ve also been hard at work on attestations, a feature that lets publishers make verifiable claims about their software. Support for attestations is now available from all Trusted Publishing providers, and the community is already using this to strengthen the software‑supply‑chain.

Metric	Value
Uploads that included an attestation (last year)	17 %

Proactive Security Measures

Beyond user‑facing features, we’ve implemented a number of proactive measures to protect the registry from attack:

Phishing protection: PyPI now detects and warns users about untrusted domains – see the announcement here.
Improved ZIP‑file security: The upload pipeline has been hardened to prevent attacks involving malicious ZIP files – read more here.
Typosquatting detection: PyPI automatically detects and flags potential typosquatting attempts during project creation.
Domain resurrection prevention: Expired domains are periodically checked to stop resurrection attacks – details here.
Spam prevention: We’ve taken action against spam campaigns, including prohibiting registrations from specific abusive domains – see the blog post here.

Transparency and Incident Response

This year we have emphasized transparent, timely communication about security incidents affecting PyPI. Detailed incident reports have been published for several events, including:

Privileges persisting in organization teams – Read the report
Widespread phishing attack targeting PyPI users – Read the report
Token‑exfiltration campaign via GitHub Actions workflows – Read the report
Potential implications of the “Shai‑Hulud” attack on the npm ecosystem – Read the report

We believe transparency is essential for building and maintaining trust with our community, and we will continue to publish incident reports as needed.

Safety and Support Requests

Our safety & support team and administrators have worked diligently this year to address user requests and combat malware, keeping the ecosystem healthy. Below is a summary of our key achievements.

Malware Response

> 2,000 malware reports processed – a testament to community vigilance and admin dedication.
Response times
- 66 % of reports handled within 4 hours.
- 92 % resolved within 24 hours.
- Only a small number of complex cases required the maximum 4 days to remediate.

Support Requests

2,221 individual account‑recovery requests successfully resolved.
> 500 project‑name‑retention requests (PEP 541) handled
- Average first‑triage time: under 1 week.
- The previous 9‑month backlog has been cleared, and the queue is up‑to‑date as of December.

Organizations Growth

One of our biggest announcements in previous years was the general availability of organizations on PyPI. Organizations give companies and community projects a centralized place to manage their packages, teams, and billing.

Recent Adoption

7,742 organizations have been created on PyPI.
9,059 projects are now managed by organizations.

New Features

We’ve been hard at work adding capabilities to organizations, including:

Team management
Project transfers
A comprehensive admin interface

We’re excited to see organizations take advantage of these features to use PyPI more effectively.

A Better PyPI for Everyone

We’ve made a number of improvements to the overall maintainer experience on PyPI, including:

Project lifecycle management – You can now archive your projects to signal that they are no longer actively maintained. This is part of a larger effort to standardize project‑status markers (PEP 792).
New Terms of Service – We’ve introduced a new Terms of Service to formalize our policies and enable new features such as organizations.

Looking Ahead to 2026

We’re proud of the progress we made in 2025, but we know there’s always more to do. In 2026, we’ll continue to focus on improving the security, stability, and usability of PyPI for the entire Python community.

Acknowledgements

A huge thank‑you to our sponsors, whose support makes PyPI’s scale and reliability possible. Special appreciation goes to Fastly, a critical infrastructure donor.

We’d also like to recognize a few individuals for their outstanding contributions this year:

William Woodruff – trusted publishing, attestations, and security enhancements
Facundo Tuesca – project archival and zip‑file mitigation
Seth Michael Larson – additional security features and tooling

Finally, PyPI would not be what it is today without the countless hours contributed by our community. Thank you to everyone who wrote code, opened issues, improved documentation, or offered feedback. Your efforts keep PyPI thriving.

Here’s to a great 2026!

— Dustin Ingram, on behalf of the PyPI team