Pip install command does not match the documentation

[maqp]

The About section on the frontpage links to pythonhosted.org/fitparse/.

That documentation is telling the user to run

$ pip install python-fitparse

which does not match the front page

$ pip install fitparse

This is especially concerning, given that there is a 0-star repository reusing the name:

https://github.com/nbr23/python-fitparse

I would understand if it was a fork of this but it is not. It looks like a re-uploaded version of this repo which hides forking information, and despite the new user's commits from July 19, 2025 onwards, their readme remains not updated, it still has David's message about it not being maintained. OTOH it also has the pip install fitparse message.

That author also has their own repo on PyPI https://pypi.org/project/python-fitparse/

While their code did not show any scripts or malicious code, this situation needs to be resolved ASAP, as it is a dependency confusion attack vector.

[nbr23]

hi @maqp,

thanks, I've updated the readme for https://github.com/nbr23/python-fitparse to hopefully clarify my repo's situation, which is:

• https://github.com/nbr23/python-fitparse IS a fork. I took it out of the "github fork network" or whatever they call it because when a parent repo gets deleted, forks get deleted too. I don't want that. But that's just github fancy UI stuff. The repo is very much a fork with some updates
• I understand your concern about dependency confusion. I updated my readme to make sure readers of my fork install the forked version. I don't know that further changes are needed. If the owner of this repo wants me to transfer ownership of the pypi project, I'm happy to oblige
• I don't know how the original repo's doc references the wrong pypi project. It was available when I used it to publish the fork. I don't believe pypi allows recycling of those names, but I could be wrong 🤷

Cheers