From 2b0e69a6e634230130c5dc2ecc8c21bcb0531273 Mon Sep 17 00:00:00 2001 From: x4v13r64 Date: Sat, 21 Mar 2026 09:48:11 +0100 Subject: [PATCH] fix: remove unregistered Windows App SDK PyPI dependencies (dependency confusion) onnxruntime-winml is not published to PyPI; references in requirements.txt files allow an attacker to register the name and intercept installs. winappsdk-Foundation and winappsdk-InteractiveExperiences are likewise not on PyPI; they are distributed via local wheels. Remove bare package names and add comments directing users to the correct distribution channel. --- WindowsAppSDK-ProjectTemplates/python/packaged/pyproject.toml | 4 ++-- WindowsAppSDK-ProjectTemplates/python/sparse/pyproject.toml | 4 ++-- .../python/unpackaged/pyproject.toml | 3 ++- .../WindowsML/python/SqueezeNetPython/requirements.txt | 3 ++- .../WindowsML/python/SqueezeNetPython/requirements.txt | 3 ++- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/WindowsAppSDK-ProjectTemplates/python/packaged/pyproject.toml b/WindowsAppSDK-ProjectTemplates/python/packaged/pyproject.toml index b77ad02..89c6fb6 100644 --- a/WindowsAppSDK-ProjectTemplates/python/packaged/pyproject.toml +++ b/WindowsAppSDK-ProjectTemplates/python/packaged/pyproject.toml @@ -5,8 +5,8 @@ description = "Add your description here" readme = "README.md" requires-python = ">=3.12" dependencies = [ - "winappsdk-Foundation", - "winappsdk-InteractiveExperiences" + # winappsdk-Foundation and winappsdk-InteractiveExperiences are NOT on PyPI. + # Install them from the local wheels/ directory via the find-links setting below. ] [build-system] diff --git a/WindowsAppSDK-ProjectTemplates/python/sparse/pyproject.toml b/WindowsAppSDK-ProjectTemplates/python/sparse/pyproject.toml index 49f3b7e..306d965 100644 --- a/WindowsAppSDK-ProjectTemplates/python/sparse/pyproject.toml +++ b/WindowsAppSDK-ProjectTemplates/python/sparse/pyproject.toml @@ -5,8 +5,8 @@ description = "Add your description here" readme = "README.md" requires-python = ">=3.12" dependencies = [ - "winappsdk-Foundation", - "winappsdk-InteractiveExperiences" + # winappsdk-Foundation and winappsdk-InteractiveExperiences are NOT on PyPI. + # Install them from the local wheels/ directory via the find-links setting below. ] [build-system] diff --git a/WindowsAppSDK-ProjectTemplates/python/unpackaged/pyproject.toml b/WindowsAppSDK-ProjectTemplates/python/unpackaged/pyproject.toml index 09d048f..9b2735c 100644 --- a/WindowsAppSDK-ProjectTemplates/python/unpackaged/pyproject.toml +++ b/WindowsAppSDK-ProjectTemplates/python/unpackaged/pyproject.toml @@ -5,7 +5,8 @@ description = "Simple WinApp SDK file picker example" readme = "README.md" requires-python = ">=3.12" dependencies = [ - "winappsdk-Foundation" + # winappsdk-Foundation is NOT on PyPI. + # Install it from the local wheels/ directory via the find-links setting below. ] [project.scripts] diff --git a/WindowsAppSDK-Samples/1.8-stable/WindowsML/python/SqueezeNetPython/requirements.txt b/WindowsAppSDK-Samples/1.8-stable/WindowsML/python/SqueezeNetPython/requirements.txt index e192a18..0caa300 100644 --- a/WindowsAppSDK-Samples/1.8-stable/WindowsML/python/SqueezeNetPython/requirements.txt +++ b/WindowsAppSDK-Samples/1.8-stable/WindowsML/python/SqueezeNetPython/requirements.txt @@ -1,5 +1,6 @@ pillow numpy -onnxruntime-winml +# onnxruntime-winml is NOT available on PyPI — install from the Windows App SDK distribution: +# https://learn.microsoft.com/windows/ai/windows-ml/ wasdk-Microsoft.Windows.AI.MachineLearning[all] wasdk-Microsoft.Windows.ApplicationModel.DynamicDependency.Bootstrap diff --git a/WindowsAppSDK-Samples/2.0-stable/WindowsML/python/SqueezeNetPython/requirements.txt b/WindowsAppSDK-Samples/2.0-stable/WindowsML/python/SqueezeNetPython/requirements.txt index e192a18..0caa300 100644 --- a/WindowsAppSDK-Samples/2.0-stable/WindowsML/python/SqueezeNetPython/requirements.txt +++ b/WindowsAppSDK-Samples/2.0-stable/WindowsML/python/SqueezeNetPython/requirements.txt @@ -1,5 +1,6 @@ pillow numpy -onnxruntime-winml +# onnxruntime-winml is NOT available on PyPI — install from the Windows App SDK distribution: +# https://learn.microsoft.com/windows/ai/windows-ml/ wasdk-Microsoft.Windows.AI.MachineLearning[all] wasdk-Microsoft.Windows.ApplicationModel.DynamicDependency.Bootstrap