Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

chris48s/pip-abandoned

BranchesTags
Open more actions menu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

165 Commits
.github
.github
 
 
pip_abandoned
pip_abandoned
 
 
tests
tests
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
release.sh
release.sh
 
 

Repository files navigation

pip-abandoned

Run tests codecov PyPI Version License Python Compatibility Code style: black

Installation

I recommend installing pip-abandoned with pipx. This will give you a system-wide install of pip-abandoned with its dependencies isolated from any environments you intend to scan.

Alternatively pip-abandoned can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.

Introduction

Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.

  • Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
  • Some packages may use the Development Status :: 7 - Inactive trove classifier to indicate the package is not actively maintained
  • Some packages may include a not maintained badge in the project README to indicate the package is not actively maintained

pip-abandoned uses these signals to identify potentially abandoned packages in your environment.

Authentication

pip-abandoned uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:

  • Via an environment variable called GH_TOKEN e.g: GH_TOKEN=ghp_abc123
  • Run pip-abandoned set-token to store a token using the system keyring service with keyring

Usage

# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages
# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt

When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.

Exit Codes

pip-abandoned search exits with

  • code 0 when no inactive, archived or unmaintained packages were found
  • code 1 when an error was encountered. For example:
    • no packages were supplied in the path provided or
    • no auth token was supplied
  • code 9 when one or more inactive, archived or unmaintained packages were found

Inspiration

pip-abandoned takes inspiration from pip-audit, another great project.

About

📦 Search for abandoned and deprecated python packages

pypi.org/project/pip-abandoned/

Topics

security-audit supply-chain package-management

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.