This content originally appeared on DEV Community and was authored by chris48s
Relying on abandoned and deprecated packages in our applications is generally something we want to avoid. pip-abandoned can help with this. In some packaging ecosystems, the registry allows you to mark a package as deprecated or abandoned. For example in NPM:
and Packagist:
This also allows package managers to consume this metadata to provide a warning at install time:
PyPI doesn't have this concept. The registry does not provide any way to abandon or deprecate a package, and this makes it harder to tell if you are relying on a package which is no longer maintained. However, there are some signals we can look at. The best of which is: If a package on PyPI is linked to a GitHub repository and that GitHub repository is archived, this is a strong signal that the package itself is no longer maintained.
pip-abandoned takes into account several signals and allows us to search a virtual environment or requirements.txt
file to identify suspected abandoned or deprecated packages.
If abandoned packages are found, pip-abandoned will produce a summary:
The tool exits with code 0 when no abandoned packages were found and a non-zero code when one or more abandoned packages were found. This means you can use it as a CI check as well as for ad-hoc audits.
This content originally appeared on DEV Community and was authored by chris48s
chris48s | Sciencx (2024-08-23T20:10:45+00:00) Identify Abandoned PyPI Packages with pip-abandoned. Retrieved from https://www.scien.cx/2024/08/23/identify-abandoned-pypi-packages-with-pip-abandoned/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.