[QGIS-Developer] Security issues with plugins
Pedro Camargo
c at margo.co
Sun May 24 15:27:03 PDT 2026
Hello fellow QGISrs,
I maintain a couple of plugins that require a substantial number of extra Python packages (many of which have compiled/binary components). Hence, those plugins install all such requirements in a folder directly inside the plugin itself, keeping it quite clean when the user wants to remove said plugins.
I have been doing it this way for many years now, but this weekend I received security alerts that both plugins were taken down due to code that downloads extra dependencies (offending code at https://github.com/AequilibraE/qaequilibrae/blob/develop/qaequilibrae/download_extra_packages_class.py ).
Does anyone have any recommendations on how to proceed? What is currently the recommended way for plugins to install further dependencies?
Cheers,
Pedro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260525/6fb31aa0/attachment.htm>
More information about the QGIS-Developer
mailing list