PyPI has started enforcing 2-factor-auth for maintainers of various popular packages: https://twitter.com/pypi/status/1545455297388584960

For context, here is the mail I got:

Congratulations! A project you ('The_Compiler') maintain has been designated as a critical project on PyPI. You can see which project(s) has been designated at http://pypi.org/manage/projects/.

As part of this effort, in the coming months maintainers of projects designated as critical, like yourself, will be required to enable two-factor authentication on their account in order to add new releases or otherwise modify a critical
project.

Since you already have two-factor authentication enabled on your account, there's nothing you need to do at this time.

PS: To make it easier for maintainers like you to enable two-factor authentication, we're also distributing security keys to eligible maintainers. See http://pypi.org/security-key-giveaway/ for more details.

Unfortunately, this has caused the maintainer of atomicwrites to go on what I can only describe as a rampage, first deleting the project from PyPI (and then finding out it's not possible to restore it): untitaker/python-atomicwrites#61

...to then simply declare the project as unmaintained outright: untitaker/python-atomicwrites@d183284

No matter what the outcome of this will be, IMHO, given those actions I do not feel comfortable with trusting this dependency for something as popular as pytest.

The library itself is relatively simple, and we only use it on Windows. It's MIT-licensed. Should we just copy the parts we need into pytest instead?