Skip to main content

PubGrub-based dependency resolver for Python packages

Project description

nab

nab is an experimental Python packaging lock and package download tool, aiming to have similar resolver performance to uv, while being written in Python.

nab reads a pyproject.toml, resolves the dependency tree, and writes a pinned set of versions or a PEP 751 lockfile. It does not install. Hand the lockfile to whatever installer you trust.

Install

For package hygiene, and security reasons, the preference is to install nab itself as a tool, e.g.

Via pipx:

pipx install nab

Or via uv:

uv tool install nab

Quick start

# pyproject.toml
[project]
name = "example"
version = "0.1.0"
dependencies = [
    "starlette<=0.36.0",
    "fastapi<=0.115.2",
]
nab lock pyproject.toml

Writes pylock.toml next to the project. For a sorted name==version list instead, use nab lock --format requirements-without-hashes --output -.

Security

nab makes some opinionated choices to be secure first

Build policy

By default nab tries to extract static metadata, even from sdists, but sometimes that is not possible and you have to build a package to extract the dependency metadata. There are three build policies:

  • never: Never builds a Python package
  • build-local (default): Builds only your local workspace packages if they have dynamic versions or dependencies
  • build-remote: Builds packages sourced from indexes or VCS, it is recommended that this only be turned on via per-package override

Indexes

nab does not currently support sourcing the same package from distinct indexes. Indexes are processed in the order they are given to nab, and the first index that has a package is the only index that nab will source that package.

You can override this behavior by pinning specific packages to specific behavior.

You can also list different urls as a mirror for the same index. When a lockfile is written the primary url will always be used so that the lockfile will be stable, even if mirrors are used (this feature is a work in progress).

VCS policy

By default nab only allows git URLs that point to a specific commit. Using a floating branch as a dependency must be enabled in the configuration.

Standards first behavior

Pre-releases

Pre-release versions are selected if there are no stable versions to select given the requirements, even for transitive dependencies. A user option to force allow or block pre-releases per-package is a work in progress.

Validate per-distribution dependencies

By default when a distribution is chosen the dependencies from that distribution are used, nab does not assume two different distributions for the same package version will have the same dependencies.

However, sometimes you may want the lock file to produce an sdist, that sdist may not have static metadata, and you don't want to wait for the sdist to build on every lock, there is a distribution policy of "sdist-install", that is the metadata will be taken from an appropriate wheel, but the sdist will be selected for the install.

Libraries

This project includes multiple libraries that can be used by other tools:

  • nab-resolver: An agnostic resolver library based on PubGrub, but with extensions that make it compatible with Python packaging standards
  • nab-python: A Python packaging provider that drives the nab-resolver with lots of specific features and optimizations for the Python packaging ecosystem
  • nab-index: Provides APIs for nab-python to interact with Python package indexes, abstracts HTTP library interface so different HTTP libraries can be plugged in

All 3 libraries are in experimental mode, I currently recommend pinning them, e.g. nab-resolver==0.0.1, as APIs may change at any point.

Once we reach 0.1.0 we will only break API stability on each minor update, so you will be able to pin to ==0.1.* or ~=0.1.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nab-0.0.6.tar.gz (1.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nab-0.0.6-py3-none-any.whl (24.7 kB view details)

Uploaded Python 3

File details

Details for the file nab-0.0.6.tar.gz.

File metadata

  • Download URL: nab-0.0.6.tar.gz
  • Upload date:
  • Size: 1.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for nab-0.0.6.tar.gz
Algorithm Hash digest
SHA256 e81045e6443c85e3c1d3c7577b73621ef1e6c70c4569af31f31c48877ecf25ff
MD5 82e28c13efe7153370650f488df8847d
BLAKE2b-256 a19a41d10edf77f22a771b5acdbe6a334975b8c8ac4a7d557914ae49f6bbb0a3

See more details on using hashes here.

Provenance

The following attestation bundles were made for nab-0.0.6.tar.gz:

Publisher: release.yml on notatallshaw/nab

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nab-0.0.6-py3-none-any.whl.

File metadata

  • Download URL: nab-0.0.6-py3-none-any.whl
  • Upload date:
  • Size: 24.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for nab-0.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 64ced630183199e5a5b8c748278479f78ef07cc9c7dad38b0854e6107c770470
MD5 b2e336b691f5c94fda2685c266ca51aa
BLAKE2b-256 0256ceb0cc807c49de8a299bed5f982a2d88a88566f7cfbcb87114c408d0e5da

See more details on using hashes here.

Provenance

The following attestation bundles were made for nab-0.0.6-py3-none-any.whl:

Publisher: release.yml on notatallshaw/nab

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page