Skip to content

chris48s/pip-abandoned

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

144 Commits
.github
.github
 
 
pip_abandoned
pip_abandoned
 
 
tests
tests
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
release.sh
release.sh
 
 

Repository files navigation

pip-abandoned

Run tests codecov PyPI Version License Python Compatibility Code style: black

Installation

I recommend installing pip-abandoned with pipx. This will give you a system-wide install of pip-abandoned with its dependencies isolated from any environments you intend to scan.

Alternatively pip-abandoned can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.

Introduction

Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.

  • Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
  • Some packages may use the Development Status :: 7 - Inactive trove classifier to indicate the package is not actively maintained
  • Some packages may include a not maintained badge in the project README to indicate the package is not actively maintained

pip-abandoned uses these signals to identify potentially abandoned packages in your environment.

Authentication

pip-abandoned uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:

  • Via an environment variable called GH_TOKEN e.g: GH_TOKEN=ghp_abc123
  • Run pip-abandoned set-token to store a token using the system keyring service with keyring

Usage

# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages
# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt

When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.

Exit Codes

pip-abandoned search exits with

  • code 0 when no inactive, archived or unmaintained packages were found
  • code 1 when an error was encountered. For example:
    • no packages were supplied in the path provided or
    • no auth token was supplied
  • code 9 when one or more inactive, archived or unmaintained packages were found

Inspiration

pip-abandoned takes inspiration from pip-audit, another great project.

About

📦 Search for abandoned and deprecated python packages

pypi.org/project/pip-abandoned/

Topics

security-audit supply-chain package-management

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages