Mention python package index --extra-index-url potential dependency confusion attack in web-ui

### Description

Currently, Gitea suggests using the command `pip install --extra-index-url <gitea-url> <packagename>`. The `--extra-index-url` is susceptible to dependency confusion attacks, see: https://github.com/pypa/pip/issues/8606
This suggested command also does not match the documented command which uses the `--index-url <gitea-url> --no-deps` flags.

This should be mentioned in the web-ui to make users aware of the potential security risks from using this for private packages.

### Screenshots

![image](https://user-images.githubusercontent.com/24855949/215058616-7af41516-36b3-4230-9d6f-ebd171f4e9f0.png)


### Gitea Version

1.18.3

### Can you reproduce the bug on the Gitea demo site?

No

### Operating System

_No response_

### Browser Version

Firefox 109.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Mention python package index --extra-index-url potential dependency confusion attack in web-ui #22616

Description

Screenshots

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Operating System

Browser Version

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Participants

Mention python package index --extra-index-url potential dependency confusion attack in web-ui #22616

Description

Description

Screenshots

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Operating System

Browser Version

Activity

laundmo commented on Jan 27, 2023

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Participants

Issue actions