Relying on abandoned and deprecated packages in our applications is generally something we want to avoid. pip-abandoned can help with this. In some packaging ecosystems, the registry allows you to mark a package as deprecated or abandoned. For example in NPM:
and Packagist:
This also allows package managers to consume this metadata to provide a warning at install time:
PyPI doesn't have this concept. The registry does not provide any way to abandon or deprecate a package, and this makes it harder to tell if you are relying on a package which is no longer maintained. However, there are some signals we can look at. The best of which is: If a package on PyPI is linked to a GitHub repository and that GitHub repository is archived, this is a strong signal that the package itself is no longer maintained.
pip-abandoned takes into account several signals and allows us to search a virtual environment or requirements.txt
file to identify suspected abandoned or deprecated packages.
If abandoned packages are found, pip-abandoned will produce a summary:
The tool exits with code 0 when no abandoned packages were found and a non-zero code when one or more abandoned packages were found. This means you can use it as a CI check as well as for ad-hoc audits.
Top comments (0)