Safer python package installation with audit and consent before install

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for feynmanix from gravatar.com feynmanix

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Feynmanix
  • Tags pip , security
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

pipask: Know What You're Installing Before It's Too Late

A safer way to install Python packages without compromising convenience. pipask-demo

Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved.

See the introductory blog post for more information.

Installation

The recommended way to install pipask is with pipx to isolate dependencies:

pipx install pipask

Alternatively, you can install it using pip:

pip install pipask

Usage

Use pipask exactly as you would use pip:

pipask install requests
pipask install 'fastapi>=0.100.0'
pipask install -r requirements.txt

For maximum convenience, alias pip to point to pipask:

alias pip='pipask'

Add this to your shell configuration file (~/.bashrc, ~/.bash_profile, ~/.zshrc, etc.). You can always fall back to native pip with python -m pip if needed.

To run checks without installing, use the --dry-run flag:

pipask install requests --dry-run

Security Checks

Pipask performs these checks before allowing installation:

  • Repository popularity - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars)
  • Package and release age - warning for new packages (less than 22 days old) or stale releases (older than 365 days)
  • Known vulnerabilities in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)
  • Number of downloads from PyPI in the last month (warning below 1000 downloads)
  • Metadata verification: Checks for license availability, development status, and yanked packages

All checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.

How pipask works

Under the hood, pipask:

  1. Uses PyPI's JSON API to retrieve metadata without downloading or executing code
  2. When code execution is unavoidable, asks for confirmation first
  3. Collects security information from multiple sources:
    • Download statistics from pypistats.org
    • Repository popularity from GitHub or GitLab
    • Vulnerability details from OSV.dev
    • Attestation metadata from PyPI integrity API
  4. Presents a formatted report and asks for consent
  5. Hands over to standard pip for the actual installation if approved

Development

See CONTRIBUTING.md for development guidance.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for feynmanix from gravatar.com feynmanix

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Feynmanix
  • Tags pip , security
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

0.9.7

This version

0.9.6

0.9.3

0.9.2

0.9.1

0.8.1

0.8.0

0.8.0a3 pre-release

0.7.1

0.7.0

0.6.2

0.5.0

0.4.0

0.3.3

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pipask-0.9.6.tar.gz (326.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pipask-0.9.6-py3-none-any.whl (405.4 kB view details)

Uploaded Python 3

File details

Details for the file pipask-0.9.6.tar.gz.

File metadata

  • Download URL: pipask-0.9.6.tar.gz
  • Upload date:
  • Size: 326.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for pipask-0.9.6.tar.gz
Algorithm Hash digest
SHA256 c25d50efba11c061fff0ca4f7c207d93ccb29e2b7bfb3bfb35c67ac3882d080d
MD5 abe4ca232415b52657620a23916e7fe2
BLAKE2b-256 7cf87eda7f331c2f0f82984be450da70411d3839fa75482546a36f8e0b9daf1e

See more details on using hashes here.

Provenance

The following attestation bundles were made for pipask-0.9.6.tar.gz:

Publisher: release.yaml on feynmanix/pipask

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pipask-0.9.6-py3-none-any.whl.

File metadata

  • Download URL: pipask-0.9.6-py3-none-any.whl
  • Upload date:
  • Size: 405.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for pipask-0.9.6-py3-none-any.whl
Algorithm Hash digest
SHA256 ef6b9c7069ba2b6626848f69527d9be572bbe70bfcf777d0d10fb9f8e31a63c6
MD5 bbe39cc8c11113ebdb722837693ed305
BLAKE2b-256 a5977541dff6f6062e8ac4e664ff72607940f37bdff19a8c9c94b5507542f3f8

See more details on using hashes here.

Provenance

The following attestation bundles were made for pipask-0.9.6-py3-none-any.whl:

Publisher: release.yaml on feynmanix/pipask

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page