TL;DR
A community member noted a third-party Deno package on PyPI. Deno maintainers worked with the third-party maintainer and have integrated PyPI publishing into the official Deno release process via a deno_pypi repository.
What happened
A GitHub issue was opened after someone discovered a Deno listing on PyPI that had been provided by a third party. Commenters raised concerns about trusting an unofficial packaging of a large compiled Rust executable wrapped for Python use. Deno maintainers engaged with the third-party maintainer (the manzt repository) to arrange a transfer of responsibility. As a result, the Deno project created a deno_pypi repository and updated its release automation so that Deno artifacts are published to PyPI as part of the official release workflow. A commit updating the release template was added and the issue was marked completed. The thread reflects a move from an uncontrolled third-party distribution toward an official, repository-backed PyPI publishing process coordinated by the denoland organization.
Why it matters
- Official PyPI publishing centralizes delivery of Deno artifacts for Python ecosystems, potentially simplifying adoption in Python projects.
- Bringing packaging under the denoland org addresses earlier trust concerns about unaffiliated binaries on PyPI.
- Integrating PyPI steps into the release process can improve consistency between binary releases and Python-distributed packages.
- Having an official repository for PyPI publishing provides a clearer point of contact for maintenance and issues.
Key facts
- Issue #31254 was opened to highlight a Deno listing on PyPI maintained by a third party.
- The third-party packaging referenced in the thread was associated with the manzt repository.
- Commenters expressed concern about trusting a third-party distribution of a compiled Rust executable in a thin Python wrapper.
- Deno maintainer bartlomieju contacted the third-party maintainer to arrange a transfer to the denoland organization.
- A deno_pypi repository was created under the denoland org to handle PyPI publishing: https://github.com/denoland/deno_pypi.
- PyPI publishing is now performed as part of Deno's official release process, per the maintainers’ updates.
- A continuous-integration/release-template commit (referenced as 'ci: update release template') was added in the process.
- The GitHub issue was closed as completed after these changes were made.
What to watch next
- Monitor the deno_pypi repository for implementation details and future changes to the PyPI publishing workflow.
- Watch upcoming Deno releases on PyPI to confirm they are published through the official denoland process.
- Security review practices, package signing, and supply-chain protections for PyPI distributions — not confirmed in the source.
Quick glossary
- PyPI: The Python Package Index, a repository for Python packages and distributions.
- Deno: A runtime for JavaScript and TypeScript; in this context, it is distributed as a compiled executable.
- denoland: The organization that maintains the Deno project and its official repositories.
- Package maintainer: An individual or team responsible for preparing, publishing, and updating software packages on distribution platforms.
Reader FAQ
Is Deno now officially published on PyPI?
Yes. The project integrated PyPI publishing into its official release process via the deno_pypi repository.
Was there previously a third-party Deno package on PyPI?
Yes. A third-party maintainer published a Deno package on PyPI prior to the transfer to denoland.
Has the third-party packaging been transferred to the denoland organization?
Maintainers engaged with the third-party maintainer and set up deno_pypi under denoland; the issue was marked completed.
Are package signing and detailed security audits now in place for the PyPI distribution?
not confirmed in the source
denoland / deno Public Notifications Fork 5.9k Star 106k Code Issues 2.4k Pull requests 119 Discussions Actions verify pypi distribution of deno #31254 New issue Closed #31799 Description KotlinIsland opened ·…
Sources
Related posts
- X sues music publishers, alleging they ‘weaponized’ DMCA takedowns
- Tiny JavaScript Demos: Creating Interactive Code in 140 Characters
- Hackers and activists push back against ICE’s surveillance tools and networks