Last updated:
0 purchases
piprating 0.2.2
pip-rating
Are the π¦ dependencies (and their dependencies) of your project secure and maintained?
To install π§ pip-rating, run this command in your terminal (in a virtualenv preferably):
$ pip install pip-rating
This is the preferred method to install pip-rating, as it will always install the most recent stable release.
If you donβt have pip installed, this
Python installation guide can guide you through
the process. π Python 3.8-3.12 are tested and supported.
More info in the documentation.
Pip-rating is a tool to check the security and maintenance of the dependencies of your project. It will check the
requirements of your project and their dependencies recursively, and will show you a rating for each of them. The
rating is based on multiple factors, like their last release date, the community activity, well-known security
vulnerabilities & more.
The rating for each dependency is limited to the lowest rating of its dependencies. For example, if you have a
package with a rating of A, but it depends on a package with a rating of C, the final rating of the package will be
C. This principle is based on the XKCD comic called Dependency.
Read more about how pip-rating works.
β Usage
To check the dependencies of your project (pip-rating will detect your requirements file automatically) run this
command in your project root:
$ pip-rating
To check the dependencies of a specific requirements file (pip-rating supports the files requirements.txt,
requirements.in, setup.py, setup.cfg, pyproject.toml & Pipfile), run this command:
$ pip-rating analyze-file <requirements_file>
By default, pip-rating shows the results in text format. You can also get the results in other formats like tree:
$ pip-rating analyze-file --format tree <requirements_file>
Pip-rating supports other formats like json or only-rating. You can see
more examples in the documentation.
To analyze one or more packages, you can use the command pip-rating analyze-package:
$ pip-rating analyze-package <package_name>[ <other_package_name>]
β‘ Github Action
Pip-rating can be used as a Github Action to check the dependencies of your project in every commit and periodically.
To use this github action add a file like this to your project in the path .github/workflows/pip-rating.yml:
# .github/workflows/pip-rating.yml
# --------------------------------
name: Pip-rating
on:
push:
branches:
- master
schedule:
- cron: '0 0 * * SUN'
jobs:
build:
runs-on: ubuntu-latest
permissions: write-all
steps:
- uses: actions/checkout@v2
- name: Run pip-rating
uses: Nekmo/pip-rating@master
with:
create_badge: true
badge_style: flat-square
badge_branch: pip-rating-badge
You can see the execution of the action in the βActionsβ tab of your repository. The badge is generated in the
pip-rating-badge branch, so you can access it as:
https://raw.githubusercontent.com/<owner>/<repository>/pip-rating-badge/pip-rating-badge.svg
For more info about the action, see the
Github Action documentation.
π‘ Features
Analyze the dependencies recursively.
Report of dependencies with vulnerabilities.
Rating according to the age of the project and the date of the last release.
Use of stars, number of contributors, and other criteria to define a community rating.
Detect the impersonalization of the dependencies using cross references.
Support for multiple formats: text, tree, json or only-rating.
Read more about pip-rating in the documentation.
β€οΈ Thanks
This project developed by Nekmo.
Pip-rating is licensed under the MIT license.
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
There are no reviews.