Python package dependency analytics. Know what you depend on!
Project description
repute
Python package dependency analytics. Know what you depend on!
This is a pre-alpha release. The package is available on pypi only to reserve the name space.
repute takes your requirements.txt and scans data sources on the web to output a columnar report of metrics that help you understand the health of your dependencies.
Quickstart guide
- Generate a
requirements.txtfile for your project. For illustration, we'll use thedemo/requirements.txtfile in this repo. - Install repute like
pip install repute, ideally in its own virtual environment, so that it does not become part of the project that you want to analyze. - Run
repute demo/requirements.txtto analyze the health of your dependencies:
$ repute demo/requirements.txt
/Users/me/Desktop/mycloud/repos/repute/repute/requirements.py:31: UserWarning: ignoring editable installation: '-e file:///my/repo/path'
warnings.warn(f"ignoring editable installation: '{line}'")
Fetching data from PyPI: 100%|████████████████████████████████████████████████████████████████████████████████████████████| 58/58 [00:07<00:00, 7.41it/s]
Fetching data from GitHub: 100%|██████████████████████████████████████████████████████████████████████████████████████████| 27/27 [00:02<00:00, 9.47it/s]
Summarizing 29 dependencies:
Here are your oldest dependencies:
pypi:version_age_days
name version
annotated-types 0.7.0 302
sniffio 1.3.1 387
mpmath 1.3.0 742
The following packages could not be found on GitHub:
name version
0 ruamel-yaml 0.18.10
1 ruamel-yaml-clib 0.2.12
Here are your least popular dependencies in terms of GitHub stars:
gh:stars
name version
astropy-iers-data 0.2025.3.10.0.29.26 3
jsonschema-specifications 2024.10.1 11
pyerfa 2.0.1.5 37
See repute.csv for detailed results.
Installation
Installation:
- We're on pypi, so
pip install repute. - Consider using the simplest-possible virtual environment if working directly on this repo.
Context and discussion
Assessing the quality of python dependencies is a complex problem that goes far beyond the scope of this package. Here's a brief overview of the types of factors that could be considered in a more comprehensive review:
-
Dependency health metrics:
- Total dependency count (direct and transitive)
- Dependency tree depth
- Presence of known problematic dependencies
- Supply chain integrity (signed packages, integrity verification)
-
Maintenance indicators:
- Time since last commit/release
- Release frequency and consistency
- Issue resolution time
- Pull request responsiveness
- Number of active maintainers
- Bus factor (concentration of commits among maintainers)
-
Code quality metrics:
- Test coverage percentage
- CI/CD pipeline robustness
- Static analysis scores
- Documentation completeness
- Adherence to PEP standards
- Type hint coverage
- Presence of deprecation warnings
-
Community health:
- GitHub stars/forks trend over time
- Download statistics from PyPI
- Stack Overflow question frequency and answer rates
- Corporate backing or foundation support
-
Operational considerations:
- Package size (both download and installed)
- Import time impact
- Memory footprint
- Performance benchmarks
- Compatibility with target Python versions
- Platform compatibility (Windows/Linux/macOS)
-
Security-specific indicators:
- OSSF Scorecard results
- Use of memory-unsafe dependencies (C extensions)
- History of CVEs and their severity
- Time to patch previous vulnerabilities
- Application of secure coding practices
- Two-factor authentication usage by maintainers
- Dependency pinning practices
-
Build process integrity:
- Reproducible builds support
- Build artifact signing
- Provenance information availability
- Software Bill of Materials (SBOM) availability
-
API stability:
- Breaking change frequency
- Deprecation policy adherence
- Semantic versioning compliance
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file repute-0.1.1.tar.gz.
File metadata
- Download URL: repute-0.1.1.tar.gz
- Upload date:
- Size: 84.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e0ee78fccd37332e2bad8d4262e488f2aaca515c6b4172fbe968f1843ac0f124
|
|
| MD5 |
b39213ee030f6b3fdb9a1301c05ebed4
|
|
| BLAKE2b-256 |
0ef031008ea5f8dee8a09cff949a1e7aa92148bd477120c83b26ee1e422f1ddf
|
File details
Details for the file repute-0.1.1-py3-none-any.whl.
File metadata
- Download URL: repute-0.1.1-py3-none-any.whl
- Upload date:
- Size: 13.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7a48d8b37012f95a27f8600bed3013591d6d8472d2278e31f8cf5a19772e69f9
|
|
| MD5 |
ca408c2e2cf7e90ed7f9227ce49f4bdc
|
|
| BLAKE2b-256 |
46a2d1c713492280f2b1f21c40219841a6ea042cc0f44f64c45f2e98dc15787c
|
