Search for abandoned and deprecated python packages
Project description
pip-abandoned
Installation
I recommend installing pip-abandoned with pipx. This will give you a system-wide install of pip-abandoned with its dependencies isolated from any environments you intend to scan.
Alternatively pip-abandoned can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.
Introduction
Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.
- Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
- Some packages may use the
Development Status :: 7 - Inactivetrove classifier to indicate the package is not actively maintained - Some packages may include a
badge in the project README to indicate the package is not actively maintained
pip-abandoned uses these signals to identify potentially abandoned packages in your environment.
Authentication
pip-abandoned uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:
- Via an environment variable called
GH_TOKENe.g:GH_TOKEN=ghp_abc123 - Run
pip-abandoned set-tokento store a token using the system keyring service with keyring
Usage
# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages
# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt
When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.
Exit Codes
pip-abandoned search exits with
- code
0when no inactive, archived or unmaintained packages were found - code
1when an error was encountered. For example:- no packages were supplied in the path provided or
- no auth token was supplied
- code
9when one or more inactive, archived or unmaintained packages were found
Inspiration
pip-abandoned takes inspiration from pip-audit, another great project.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pip_abandoned-0.4.1.tar.gz.
File metadata
- Download URL: pip_abandoned-0.4.1.tar.gz
- Upload date:
- Size: 13.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 36bbecde0f7899b46fddfb6290c1fbc0b0f759f1dacb431e6f034fd2056f78eb |
|
| MD5 | 55f24d779c6d237f4ad014dc51e2ea5c |
|
| BLAKE2b-256 | ec0eb55d29f66a87f541381156feea3c9b35d3fea02bebf6f2c4ff2dcce0500f |
File details
Details for the file pip_abandoned-0.4.1-py3-none-any.whl.
File metadata
- Download URL: pip_abandoned-0.4.1-py3-none-any.whl
- Upload date:
- Size: 8.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | dc9cc1d97d1b3f55f005ba48cd8cbe50d9209da36100958682128f756953d53a |
|
| MD5 | 977e535b9183012d08d0fedaea3bbf38 |
|
| BLAKE2b-256 | 0f59a43e47f5405acd19ca75eeeeb2ff61c4be8a66b12b77ee96f545f21f2ad9 |
