[Security] Missing / removed dependency: codecov==2.1.12 – potential supply chain risk #383
Description
Summary
While setting up the project environment, the dependency codecov==2.1.12
fails to install because this exact version no longer exists on PyPI.
This is not just a build issue — it may indicate:
- the version was removed,
- deprecated,
- or replaced due to a security concern.
This creates a potential supply-chain vulnerability and causes installation
failures for all contributors.
Steps to Reproduce
- Run:
pip install -r requirements-dev.txt - Observe error:
Why this is a Security Concern
A missing or deleted dependency can indicate:
- supply-chain attack possibility,
- dependency confusion risk,
- the project breaking entirely due to a single missing package.
The honeypot should not fail on setup due to a dev dependency.
Proposed Actions
- Investigate why
2.1.12was removed from PyPI. - If unsafe or deprecated → remove it from requirements.
- If still needed → replace with a maintained version (
codecov>=2.1.10). - Add fallback / error handling so missing dev dependencies do not crash the honeypot.
Willing to Work on It
I would like to investigate this further and submit a fix once confirmed.
Security Research Findings
1. Version Removed From PyPI
The version codecov==2.1.12 has been yanked from PyPI.
It appears in “removed versions”, with no available files.
Reason: deprecation + security concerns.
2. Codecov Deprecation Plan
According to project documentation, Codecov announced long-term
deprecation of older Python uploaders. Communication about this
deprecation was poor, leading to ecosystem breakage.
3. Codecov Python Client Archived
The codecov-python GitHub repository is archived by the owner.
No further updates or security patches will be released.
Using archived/abandoned CI tools is a supply-chain security risk.
4. Known Security Incidents
🔸 CVE-2019-10800
Associated with command injection vulnerability in archived versions.
🔸 2021 Supply Chain Attack
The Codecov Bash Uploader was compromised in a major supply-chain event
affecting thousands of organizations.
Attackers stole:
- credentials
- CI secrets
- environment variables
- git remotes
This led to large-scale credential rotation across the industry.
5. Recommendation
Given the above:
- The dependency should be removed completely.
- The project should not rely on Codecov for dev/testing.
- Alternative coverage tools (e.g., coverage.py, GitHub Actions artifacts)
should be used instead. - Dev dependencies should be cleaned to avoid installing archived packages.
This improves supply chain resilience of the honeypot itself.