Able to install packages without authentication from GitLab package registry

abubakar.muqaddas · August 20, 2024, 12:45pm

Self-managed GitLab version 15.11.13

In our self-managed GitLab instance, we have a group with various projects. In one of the projects, I have pushed a python package in its package registry. I then copy the command "pip install … " from the python package page and use it to install the package in another machine. The issue is that I have not defined any .pypirc file; so there is not access token in the machine, and still I am able to install the python package.

How can I enforce the endpoint to first authenticate with GitLab before proceeding to install the python package?

dnsmichi · August 20, 2024, 8:14pm

Current 17.x releases require authentication for Pypi packages in the registry. Not sure if 15.x supported that behavior, but I recommend upgrading to supported 17.3+.

abubakar.muqaddas · August 21, 2024, 1:50pm

Hi @dnsmichi,

In this page (installing pypi packages), it specifically states to use a token, but I am still able to install a package without a token. Does it mean that I am following some incorrect process, or the information on the page is incorrect?

dnsmichi · August 21, 2024, 2:47pm

Maybe a bug or security problem in 15.11.

Topic		Replies	Views
How to make pip package registry not require personal access token information in index url How to Use GitLab package , python , registry	1	1287	January 17, 2024
Why do I need an Access Token to Install pypi Packages? How to Use GitLab package	0	422	July 23, 2020
PyPi package registry authentication Self-managed api	0	485	May 11, 2021
Cannot download from Package registry with personal access token How to Use GitLab api	3	1558	November 4, 2020
Unable to use PyPI packages How to Use GitLab api , docker	1	326	December 11, 2023

Able to install packages without authentication from GitLab package registry

Related topics