GitLocker: The Coding Marketplace

Description:

pipabandoned 0.4.1

pip-abandoned

Installation
I recommend installing pip-abandoned with pipx. This will give you a system-wide install of pip-abandoned with its dependencies isolated from any environments you intend to scan.
Alternatively pip-abandoned can be installed from PyPI with your package manager of choice: pip, poetry, pipenv, etc.
Introduction
Some package registries like NPM and Packagist allow a user to mark a package as abandoned or deprecated. This means it is relatively easy to tell if you are relying on a package abandoned by its author. It also allows package managers to consume this metadata to provide a warning at install time. PyPI does not have a mechanism to abandon or deprecate a package. There are some signals we can look at though.

Many packages are linked to a GitHub repository. If that GitHub repository is archived, this is a strong signal that the package itself is abandoned
Some packages may use the Development Status :: 7 - Inactive trove classifier to indicate the package is not actively maintained
Some packages may include a badge in the project README to indicate the package is not actively maintained

pip-abandoned uses these signals to identify potentially abandoned packages in your environment.
Authentication
pip-abandoned uses the GitHub GraphQL API to efficiently query many repos at once. The advantage of this is that it is fast. The tradeoff is that authentication is required. A PAT with read-only access to public repos will be sufficient for most cases. There are two ways we can provide an auth token:

Via an environment variable called GH_TOKEN e.g: GH_TOKEN=ghp_abc123
Run pip-abandoned set-token to store a token using the system keyring service with keyring

Usage
# Search a virtualenv path:
pip-abandoned search /home/alice/.virtualenvs/myproject/lib/python3.10/site-packages

# Search a requirements file:
pip-abandoned search -r /path/to/requirements.txt

When searching one or more requirements files, your packages will be installed into a temporary virtualenv. This means this search will include transitive dependencies.
Exit Codes
pip-abandoned search exits with

code 0 when no inactive, archived or unmaintained packages were found
code 1 when an error was encountered. For example:

no packages were supplied in the path provided or
no auth token was supplied

code 9 when one or more inactive, archived or unmaintained packages were found

Inspiration
pip-abandoned takes inspiration from pip-audit, another great project.