Michael: I don't really know how you can mitigate those kind of attacks because the package name typos can happen. So pin your versions, probably one. You could whitelist, you can do things like set up a private pipe, yeah, server, and just whitlist packages. And Chris did also follows on with is venturing dependencies and appropriate mitigation. Instead of pip installing requests, like finding the key bits of requests and just copying that code into your application.