Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chris48s/pip-abandoned
📦 Search for abandoned and deprecated python packages
https://github.com/chris48s/pip-abandoned
package-management security-audit supply-chain
Last synced: 8 days ago
JSON representation
📦 Search for abandoned and deprecated python packages
- Host: GitHub
- URL: https://github.com/chris48s/pip-abandoned
- Owner: chris48s
- License: mit
- Created: 2023-09-01T17:55:38.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-10-23T18:23:07.000Z (13 days ago)
- Last Synced: 2024-10-24T03:48:42.105Z (12 days ago)
- Topics: package-management, security-audit, supply-chain
- Language: Python
- Homepage: https://pypi.org/project/pip-abandoned/
- Size: 124 KB
- Stars: 7
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# pip-abandoned
[](https://github.com/chris48s/pip-abandoned/actions/workflows/test.yml)
[](https://codecov.io/gh/chris48s/pip-abandoned)
[](https://pypi.org/project/pip-abandoned/)
## Installation
I recommend installing `pip-abandoned` with [pipx](https://pypa.github.io/pipx/). This will give you a system-wide install of `pip-abandoned` with its dependencies isolated from any environments you intend to scan.
Alternatively `pip-abandoned` can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.
## Introduction
Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.
- Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
- Some packages may use the `Development Status :: 7 - Inactive` trove classifier to indicate the package is not actively maintained
- Some packages may include a  badge in the project README to indicate the package is not actively maintained
`pip-abandoned` uses these signals to identify potentially abandoned packages in your environment.
## Authentication
`pip-abandoned` uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:
- Via an environment variable called `GH_TOKEN` e.g: `GH_TOKEN=ghp_abc123`
- Run `pip-abandoned set-token` to store a token using the system keyring service with [keyring](https://pypi.org/project/keyring/)
## Usage
```bash
# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages
```
```bash
# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt
```
When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.
## Exit Codes
`pip-abandoned search` exits with
- code `0` when no inactive, archived or unmaintained packages were found
- code `1` when an error was encountered. For example:
- no packages were supplied in the path provided or
- no auth token was supplied
- code `9` when one or more inactive, archived or unmaintained packages were found
## Inspiration
`pip-abandoned` takes inspiration from [pip-audit](https://github.com/pypa/pip-audit), another great project.