Skip to main content

PubGrub-based dependency resolver for Python packages

Project description

nab

nab is an experimental Python packaging lock and package download tool, aiming to have similar resolver performance to uv, while being written in Python.

nab reads a pyproject.toml, resolves the dependency tree, and writes a pinned set of versions or a PEP 751 lockfile. It does not install. Hand the lockfile to whatever installer you trust.

Install

For package hygiene, and security reasons, the preference is to install nab itself as a tool, e.g.

Via pipx:

pipx install nab

Or via uv:

uv tool install nab

Quick start

# pyproject.toml
[project]
name = "example"
version = "0.1.0"
dependencies = [
    "starlette<=0.36.0",
    "fastapi<=0.115.2",
]
nab lock pyproject.toml

Writes pylock.toml next to the project. For a sorted name==version list instead, use nab lock --format requirements-without-hashes --output -.

Security

nab makes some opinionated choices to be secure first

Build policy

By default nab tries to extract static metadata, even from sdists, but sometimes that is not possible and you have to build a package to extract the dependency metadata. There are three build policies:

  • never: Never builds a Python package
  • build-local (default): Builds only your local workspace packages if they have dynamic versions or dependencies
  • build-remote: Builds packages sourced from indexes or VCS, it is recommended that this only be turned on via per-package override

Indexes

nab does not currently support sourcing the same package from distinct indexes. Indexes are processed in the order they are given to nab, and the first index that has a package is the only index that nab will source that package.

You can override this behavior by pinning specific packages to specific behavior.

You can also list different urls as a mirror for the same index. When a lockfile is written the primary url will always be used so that the lockfile will be stable, even if mirrors are used (this feature is a work in progress).

VCS policy

By default nab only allows git URLs that point to a specific commit. Using a floating branch as a dependency must be enabled in the configuration.

Standards first behavior

Pre-releases

Pre-release versions are selected if there are no stable versions to select given the requirements, even for transitive dependencies. A user option to force allow or block pre-releases per-package is a work in progress.

Validate per-distribution dependencies

By default when a distribution is chosen the dependencies from that distribution are used, nab does not assume two different distributions for the same package version will have the same dependencies.

However, sometimes you may want the lock file to produce an sdist, that sdist may not have static metadata, and you don't want to wait for the sdist to build on every lock, there is a distribution policy of "sdist-install", that is the metadata will be taken from an appropriate wheel, but the sdist will be selected for the install.

Libraries

This project includes multiple libraries that can be used by other tools:

  • nab-resolver: An agnostic resolver library based on PubGrub, but with extensions that make it compatible with Python packaging standards
  • nab-python: A Python packaging provider that drives the nab-resolver with lots of specific features and optimizations for the Python packaging ecosystem
  • nab-index: Provides APIs for nab-python to interact with Python package indexes, abstracts HTTP library interface so different HTTP libraries can be plugged in

All 3 libraries are in experimental mode, I currently recommend pinning them, e.g. nab-resolver==0.0.1, as APIs may change at any point.

Once we reach 0.1.0 we will only break API stability on each minor update, so you will be able to pin to ==0.1.* or ~=0.1.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nab-0.0.4.tar.gz (858.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

nab-0.0.4-py3-none-any.whl (16.5 kB view details)

Uploaded Python 3

File details

Details for the file nab-0.0.4.tar.gz.

File metadata

  • Download URL: nab-0.0.4.tar.gz
  • Upload date:
  • Size: 858.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for nab-0.0.4.tar.gz
Algorithm Hash digest
SHA256 78af5f4c2a72995267afe0976dcc6e2637faa19dbef3087bb848c204e7091fec
MD5 9ae5376b73a2641bd175b7600ce6898b
BLAKE2b-256 7a37455a30fdb9c44048c202c12610de2af39dac7c71b98e29afda1a84ce5b90

See more details on using hashes here.

Provenance

The following attestation bundles were made for nab-0.0.4.tar.gz:

Publisher: release.yml on notatallshaw/nab

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nab-0.0.4-py3-none-any.whl.

File metadata

  • Download URL: nab-0.0.4-py3-none-any.whl
  • Upload date:
  • Size: 16.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for nab-0.0.4-py3-none-any.whl
Algorithm Hash digest
SHA256 322f9ca2cbb5adbf9ad5c55e84313a43e5d31559451bceb6fd47c842ff859740
MD5 01f4f3d1651554b6d9a93a2e0f8df782
BLAKE2b-256 2cbd682bb90cfd006012d408791c767fd89b50235be86786a41e4f0f835e0bcf

See more details on using hashes here.

Provenance

The following attestation bundles were made for nab-0.0.4-py3-none-any.whl:

Publisher: release.yml on notatallshaw/nab

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page