DEV Community

chris48s
chris48s

Posted on

Identifying Abandoned PyPI Packages

Relying on abandoned and deprecated packages in our applications is generally something we want to avoid. pip-abandoned can help with this. In some packaging ecosystems, the registry allows you to mark a package as deprecated or abandoned. For example in NPM:

NPM Deprecated Package

and Packagist:

Packagist Abandoned Package

This also allows package managers to consume this metadata to provide a warning at install time:

NPM Install Warnings

PyPI doesn't have this concept. The registry does not provide any way to abandon or deprecate a package, and this makes it harder to tell if you are relying on a package which is no longer maintained. However, there are some signals we can look at. The best of which is: If a package on PyPI is linked to a GitHub repository and that GitHub repository is archived, this is a strong signal that the package itself is no longer maintained.

pip-abandoned takes into account several signals and allows us to search a virtual environment or requirements.txt file to identify suspected abandoned or deprecated packages.

If abandoned packages are found, pip-abandoned will produce a summary:

Pip-abandoned Summary Report

The tool exits with code 0 when no abandoned packages were found and a non-zero code when one or more abandoned packages were found. This means you can use it as a CI check as well as for ad-hoc audits.

👋 While you are here

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay