From 6a94271a101b523ccc9fa585272a5c65910d85bb Mon Sep 17 00:00:00 2001
From: Reinier Criel <reinier.criel@gmail.com>
Date: Tue, 11 Nov 2025 14:28:31 -0800
Subject: [PATCH] Do not add list of trusted hosts, is security risk

---
 .../safe-chain/src/packagemanager/pip/runPipCommand.js    | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
index 4da7ab4..30dade4 100644
--- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
+++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
@@ -25,18 +25,13 @@ export async function runPip(command, args) {
     env.SSL_CERT_FILE = combinedCaPath;
 
     // To counter behavior that is sometimes seen where pip ignores REQUESTS_CA_BUNDLE/SSL_CERT_FILE,
-    // 1. Set additional env vars for pip
-    // 2. Create a pip config file that specifies the cert and trusted hosts
-  
+    // We will set additional env vars for pip
     env.PIP_CERT = combinedCaPath;
 
     // Create a temporary pip config file
     const tmpDir = os.tmpdir();
     const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`);
 
-    // Trusted hosts: use knownPipRegistries from parsePackageFromUrl
-    const trustedHosts = Array.from(new Set(knownPipRegistries));
-
     // Proxy settings
     const httpProxy = env.HTTP_PROXY || '';
     const httpsProxy = env.HTTPS_PROXY || '';
@@ -46,7 +41,6 @@ export async function runPip(command, args) {
     pipConfig += `cert = ${combinedCaPath}\n`;
     if (httpProxy) pipConfig += `proxy = ${httpProxy}\n`;
     if (httpsProxy) pipConfig += `proxy = ${httpsProxy}\n`;
-    if (trustedHosts.length) pipConfig += `trusted-host = ${trustedHosts.join(' ')}\n`;
 
     await fs.writeFile(pipConfigPath, pipConfig);
     env.PIP_CONFIG_FILE = pipConfigPath;