Check the health of your project's requirements and get a rating for each dependency.
Project description
pip-rating
Are the 📦 dependencies (and their dependencies) of your project secure and maintained?
To install 🔧 pip-rating, run this command in your terminal (in a virtualenv preferably):
$ pip install pip-ratingThis is the preferred method to install pip-rating, as it will always install the most recent stable release. If you don’t have pip installed, this Python installation guide can guide you through the process. 🐍 Python 3.8-3.12 are tested and supported. More info in the documentation.
Pip-rating is a tool to check the security and maintenance of the dependencies of your project. It will check the requirements of your project and their dependencies recursively, and will show you a rating for each of them. The rating is based on multiple factors, like their last release date, the community activity, well-known security vulnerabilities & more.
The rating for each dependency is limited to the lowest rating of its dependencies. For example, if you have a package with a rating of A, but it depends on a package with a rating of C, the final rating of the package will be C. This principle is based on the XKCD comic called Dependency. Read more about how pip-rating works.
❓ Usage
To check the dependencies of your project (pip-rating will detect your requirements file automatically) run this command in your project root:
$ pip-ratingTo check the dependencies of a specific requirements file (pip-rating supports the files requirements.txt, requirements.in, setup.py, setup.cfg, pyproject.toml & Pipfile), run this command:
$ pip-rating analyze-file <requirements_file>
By default, pip-rating shows the results in text format. You can also get the results in other formats like tree:
$ pip-rating analyze-file --format tree <requirements_file>
Pip-rating supports other formats like json or only-rating. You can see more examples in the documentation.
To analyze one or more packages, you can use the command pip-rating analyze-package:
$ pip-rating analyze-package <package_name>[ <other_package_name>]⚡ Github Action
Pip-rating can be used as a Github Action to check the dependencies of your project in every commit and periodically. To use this github action add a file like this to your project in the path .github/workflows/pip-rating.yml:
# .github/workflows/pip-rating.yml
# --------------------------------
name: Pip-rating
on:
push:
branches:
- master
schedule:
- cron: '0 0 * * SUN'
jobs:
build:
runs-on: ubuntu-latest
permissions: write-all
steps:
- uses: actions/checkout@v2
- name: Run pip-rating
uses: Nekmo/pip-rating@master
with:
create_badge: true
badge_style: flat-square
badge_branch: pip-rating-badgeYou can see the execution of the action in the “Actions” tab of your repository. The badge is generated in the pip-rating-badge branch, so you can access it as:
https://raw.githubusercontent.com/<owner>/<repository>/pip-rating-badge/pip-rating-badge.svgFor more info about the action, see the Github Action documentation.
💡 Features
Analyze the dependencies recursively.
Report of dependencies with vulnerabilities.
Rating according to the age of the project and the date of the last release.
Use of stars, number of contributors, and other criteria to define a community rating.
Detect the impersonalization of the dependencies using cross references.
Support for multiple formats: text, tree, json or only-rating.
Read more about pip-rating in the documentation.
❤️ Thanks
This project developed by Nekmo.
Pip-rating is licensed under the MIT license.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pip_rating-0.2.2-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 65a0aac8e0f3ec52daae05b9e3cb254878fdb7834317bb3c2725d87dd81cb66e |
|
| MD5 | eb6ca6c5abaa63be61999b877a00f6c2 |
|
| BLAKE2b-256 | 9b23d0313899f0a71dc7a84e383ad01b147381086e18464ebbd76a40d3ad32cd |
