close
close

first Drop

Com TW NOw News 2024

Identify abandoned PyPI packages with pip-abandoned
news

Identify abandoned PyPI packages with pip-abandoned

Relying on abandoned and obsolete packages in our applications is something we generally want to avoid. pip-abandoned can help with this. In some packaging ecosystems, the registry allows you to mark a package as obsolete or abandoned. For example, in NPM:

NPM Legacy Package

and Packagist:

Packagist Abandoned Package

This also allows package managers to use this metadata to issue a warning during installation:

NPM installation warnings

PyPI doesn’t have this concept. The registry doesn’t provide a way to abandon or deprecate a package, and this makes it harder to see if you’re depending on a package that’s no longer maintained. There are some signs we can look for, though. The best of them is: if a package on PyPI is linked to a GitHub repository, and that GitHub repository is archived, that’s a strong signal that the package itself is no longer maintained.

pip-abandoned takes into account different signals and allows us to search a virtual environment or requirements.txt file to identify suspicious abandoned or outdated packages.

If any abandoned packets are found, pip-abandoned will produce a summary:

Pip Abandoned Summary Report

The tool exits with code 0 if no abandoned packets are found and a non-zero code if one or more abandoned packets are found. This means that you can use it as a CI check and for ad-hoc audits.