HTTPX

registryPyPI

package namehttpx

maintainerEncode

HTTPX is a fully featured async-first HTTP client for Python, providing both sync and async interfaces with HTTP/2 support. It is the default HTTP client in FastAPI and is widely adopted in modern Python services that require connection pooling, timeouts, and retry logic. The OpenAI and Anthropic SDKs use HTTPX as their transport layer.

api usage

Checking HTTPX

httpx 0.27.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=httpx&version=0.27.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "httpx",
  "version": "0.27.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Because HTTPX is the underlying transport for major LLM SDK packages, a compromised version sits between the application and the model API for every request, making it possible to intercept API keys and responses without modifying the higher-level SDK.

Attestd monitors httpx using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Requests aiohttp FastAPI OpenAI SDK (Python)Response fields