Use `--index-url` in PyPi description (#22620)

Fixes #22616

Co-authored-by: zeripath <art27@cantab.net>

2 files changed, 3 insertions, 1 deletions

diff --git a/docs/content/doc/packages/pypi.en-us.md b/docs/content/doc/packages/pypi.en-us.md
index 588df71d60..ec2475aea3 100644
--- a/docs/content/doc/packages/pypi.en-us.md
+++ b/docs/content/doc/packages/pypi.en-us.md
@@ -77,6 +77,8 @@ For example:
 pip install --index-url https://testuser:password123@gitea.example.com/api/packages/testuser/pypi/simple --no-deps test_package
 ```
 
+You can use `--extra-index-url` instead of `--index-url` but that makes you vulnerable to dependency confusion attacks because `pip` checks the official PyPi repository for the package before it checks the specified custom repository. Read the `pip` docs for more information.
+
 ## Supported commands
 
 ```
diff --git a/templates/package/content/pypi.tmpl b/templates/package/content/pypi.tmpl
index 1cce31f537..1ae243813d 100644
--- a/templates/package/content/pypi.tmpl
+++ b/templates/package/content/pypi.tmpl
@@ -4,7 +4,7 @@
 		<div class="ui form">
 			<div class="field">
 				<label>{{svg "octicon-terminal"}} {{.locale.Tr "packages.pypi.install"}}</label>
-				<div class="markup"><pre class="code-block"><code>pip install --extra-index-url {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/pypi/simple {{.PackageDescriptor.Package.Name}}</code></pre></div>
+				<div class="markup"><pre class="code-block"><code>pip install --index-url {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/pypi/simple {{.PackageDescriptor.Package.Name}}</code></pre></div>
 			</div>
 			<div class="field">
 				<label>{{.locale.Tr "packages.pypi.documentation" | Safe}}</label>