DEV Community

chris48s
chris48s

Posted on

Identifying Abandoned PyPI Packages

Relying on abandoned and deprecated packages in our applications is generally something we want to avoid. pip-abandoned can help with this. In some packaging ecosystems, the registry allows you to mark a package as deprecated or abandoned. For example in NPM:

NPM Deprecated Package

and Packagist:

Packagist Abandoned Package

This also allows package managers to consume this metadata to provide a warning at install time:

NPM Install Warnings

PyPI doesn't have this concept. The registry does not provide any way to abandon or deprecate a package, and this makes it harder to tell if you are relying on a package which is no longer maintained. However, there are some signals we can look at. The best of which is: If a package on PyPI is linked to a GitHub repository and that GitHub repository is archived, this is a strong signal that the package itself is no longer maintained.

pip-abandoned takes into account several signals and allows us to search a virtual environment or requirements.txt file to identify suspected abandoned or deprecated packages.

If abandoned packages are found, pip-abandoned will produce a summary:

Pip-abandoned Summary Report

The tool exits with code 0 when no abandoned packages were found and a non-zero code when one or more abandoned packages were found. This means you can use it as a CI check as well as for ad-hoc audits.

Top comments (0)