Safer python package installation with audit and consent before install

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for feynmanix from gravatar.com feynmanix

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Feynmanix
  • Tags pip , security
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

pipask: Know What You're Installing Before It's Too Late

A safer way to install Python packages without compromising convenience. pipask-demo

Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved.

See the introductory blog post for more information.

Installation

The recommended way to install pipask is with pipx to isolate dependencies:

pipx install pipask

Alternatively, you can install it using pip:

pip install pipask

Usage

Use pipask exactly as you would use pip:

pipask install requests
pipask install 'fastapi>=0.100.0'
pipask install -r requirements.txt

For maximum convenience, alias pip to point to pipask:

alias pip='pipask'

Add this to your shell configuration file (~/.bashrc, ~/.bash_profile, ~/.zshrc, etc.). You can always fall back to native pip with python -m pip if needed.

To run checks without installing, use the --dry-run flag:

pipask install requests --dry-run

Security Checks

Pipask performs these checks before allowing installation:

  • Repository popularity - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars)
  • Package and release age - warning for new packages (less than 22 days old) or stale releases (older than 365 days)
  • Known vulnerabilities in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)
  • Number of downloads from PyPI in the last month (warning below 1000 downloads)
  • Metadata verification: Checks for license availability, development status, and yanked packages

All checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.

How pipask works

Under the hood, pipask:

  1. Uses PyPI's JSON API to retrieve metadata without downloading or executing code
  2. When code execution is unavoidable, asks for confirmation first
  3. Collects security information from multiple sources:
    • Download statistics from pypistats.org
    • Repository popularity from GitHub or GitLab
    • Vulnerability details from OSV.dev
    • Attestation metadata from PyPI integrity API
  4. Presents a formatted report and asks for consent
  5. Hands over to standard pip for the actual installation if approved

Development

See CONTRIBUTING.md for development guidance.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for feynmanix from gravatar.com feynmanix

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Feynmanix
  • Tags pip , security
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

0.9.7

0.9.6

This version

0.9.3

0.9.2

0.9.1

0.8.1

0.8.0

0.8.0a3 pre-release

0.7.1

0.7.0

0.6.2

0.5.0

0.4.0

0.3.3

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pipask-0.9.3.tar.gz (326.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pipask-0.9.3-py3-none-any.whl (405.3 kB view details)

Uploaded Python 3

File details

Details for the file pipask-0.9.3.tar.gz.

File metadata

  • Download URL: pipask-0.9.3.tar.gz
  • Upload date:
  • Size: 326.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for pipask-0.9.3.tar.gz
Algorithm Hash digest
SHA256 224f464f4d1d3fd5e287b961543a44caa8c24c698303a486bc227db25bda9227
MD5 056789e1c0d6d1d3b8c256dd0cd8de0a
BLAKE2b-256 cbc1888561a230eae0dbc50f67301b4fc9e817f6d8f5b98132b0edd837eed7e7

See more details on using hashes here.

Provenance

The following attestation bundles were made for pipask-0.9.3.tar.gz:

Publisher: release.yaml on feynmanix/pipask

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pipask-0.9.3-py3-none-any.whl.

File metadata

  • Download URL: pipask-0.9.3-py3-none-any.whl
  • Upload date:
  • Size: 405.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for pipask-0.9.3-py3-none-any.whl
Algorithm Hash digest
SHA256 e16004217827e1c5baf08a9c37d04c549b57410faf6e21c6d01a4f9835665c08
MD5 daaf3bf15bd6e9384a36fed8d8bfa09b
BLAKE2b-256 6329c7e30832e2830afd441eb08bef2863bd53f79b116099ec31d147c76c166e

See more details on using hashes here.

Provenance

The following attestation bundles were made for pipask-0.9.3-py3-none-any.whl:

Publisher: release.yaml on feynmanix/pipask

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page