Lab 4: Controlling Which Packages Users Can Install

By the end of this lab, you will be able to:

  • Create a repository with a blocklist rule based on vulnerability severity
  • Verify that vulnerable package versions are blocked while others remain available
  • Create a curated CRAN source from a requirements.txt file anchored to a snapshot date
  • Confirm a curated repository exposes only the approved packages and their dependencies
NoteBefore You Begin

This lab puts into practice the concepts covered in Controlling Which Packages Users Can Install. If you have not read it yet, review it first so the steps below make sense.

TipRequired Reading

Create a Repository with Blocklist Rules

To block packages in Package Manager:

  • Create a repository
  • Subscribe it to the source you want to block packages from (for example, PyPI or CRAN)
  • Create blocklist rules for that repository

For example, to block all Python packages with a vulnerability score of 5.0 or higher:

Terminal
sudo rspm create repo --type=python --name=blocked-pypi --description='Block PyPI packages'
sudo rspm subscribe --repo=blocked-pypi --source=pypi
sudo rspm create blocklist-rule --repo=blocked-pypi --min-severity=5.0 --block-unscored=false --description='Block all packages with a vulnerability score 5.0 and above'

These commands create a repository where all packages with a vulnerability of severity score 5.0 or higher are blocked from installation.

Verify the Blocklist

Navigate to your Package Manager URL, refresh the page (using the circular icon in the top right), select the blocked-pypi repository, and look for the package OctoPrint. Recent versions of the package are not blocked, however, older versions are blocked because they have a vulnerabilities higher than our 5.0 threshold. Explore the user interface to see which versions are blocked and which are available for installation.

Create a Curated (Allowlist) Repository

To create a curated repository, you:

  1. Create a curated CRAN source
  2. Create a repository that will hold the curated packages
  3. Subscribe the repository to the curated source
  4. Create a requirements.txt file that lists the packages and versions you want to allow, along with any extra dependency-handling instructions for R packages
  5. Make the packages available to your repository (first with a dry run to confirm the correct packages are included, then by committing the change)

In practice, it looks like this:

Terminal
# Create a curated CRAN source
sudo rspm create source --name=subset --type=curated-cran --no-archived
# Create a repository that will hold the curated packages
sudo rspm create repo --name=curated-cran --type=r --description='Access Curated CRAN packages'
# Subscribe to the repository
sudo rspm subscribe --repo=curated-cran --source=subset

Create a requirements.txt file in your home directory that lists the packages you want to allow. For example, use the following configuration which allows any version of shiny greater than or equal to 1.8.0 along with all of its related packages, version of ggplot2 greater than or equal to 4, and any version of plumber along with its suggested packages.

requirements.txt
shiny >= 1.8.0 [all]
ggplot2 >= 4
plumber [suggests]

Dry run to inspect the changes to the source before applying them:

Terminal
sudo rspm update --source=subset --file-in=requirements.txt --snapshot=2026-06-01

Commit the changes to the source:

Terminal
sudo rspm update --source=subset --file-in=requirements.txt --snapshot=2026-06-01 --commit
Tiprequirements.txt File Location

In this lab, you created the requirements.txt file in your home directory. In practice, you can create it anywhere on the system, as long as you provide the correct path to the --file-in argument when you run the rspm update command. You may want to store it alongside the other Package Manager configuration files in /etc/rstudio-pm/ so that it is easier to back up and reason about your deployment.

Verify Your Work

Once you have applied the curated source, confirm that the curated repository includes only the packages you specified in your requirements.txt file, along with their dependencies as of the snapshot date. Navigate to the web interface and verify that your new repository includes fewer packages than your cran repository.

  • Package Manager offers two complementary controls: blocklist rules deny specific packages within a repository (by name and version, vulnerability severity, or license type), while curated sources expose only an explicitly approved allowlist and nothing else.
  • Vulnerability-based blocklist rules react to CVE data automatically, blocking newly discovered vulnerable versions without you having to track them by hand.
  • Anchor a curated source to a snapshot date so the full dependency graph is deterministic. Without it, an upstream change can pull unapproved packages into your curated repository.