pip-abandoned

Installation

I recommend installing pip-abandoned with pipx. This will give you a system-wide install of pip-abandoned with its dependencies isolated from any environments you intend to scan.

Alternatively pip-abandoned can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.

Introduction

Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.

• Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
• Some packages may use the Development Status :: 7 - Inactive trove classifier to indicate the package is not actively maintained
• Some packages may include a badge in the project README to indicate the package is not actively maintained

pip-abandoned uses these signals to identify potentially abandoned packages in your environment.

Authentication

pip-abandoned uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:

• Via an environment variable called GH_TOKEN e.g: GH_TOKEN=ghp_abc123
• Run pip-abandoned set-token to store a token using the system keyring service with keyring

Usage

# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages

# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt

When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.

Exit Codes

pip-abandoned search exits with

• code 0 when no inactive, archived or unmaintained packages were found
• code 1 when an error was encountered. For example:
  • no packages were supplied in the path provided or
  • no auth token was supplied
• code 9 when one or more inactive, archived or unmaintained packages were found

Inspiration

pip-abandoned takes inspiration from pip-audit, another great project.