Are the 📦 dependencies (and their dependencies) of your project secure and maintained?

To install 🔧 pip-rating, run this command in your terminal (in a virtualenv preferably):

$ pip install pip-rating

This is the preferred method to install pip-rating, as it will always install the most recent stable release. If you don't have pip installed, this Python installation guide can guide you through the process. 🐍 Python 3.8-3.12 are tested and supported. More info in the documentation.

Pip-rating is a tool to check the security and maintenance of the dependencies of your project. It will check the requirements of your project and their dependencies recursively, and will show you a rating for each of them. The rating is based on multiple factors, like their last release date, the community activity, well-known security vulnerabilities & more.

The rating for each dependency is limited to the lowest rating of its dependencies. For example, if you have a package with a rating of A, but it depends on a package with a rating of C, the final rating of the package will be C. This principle is based on the XKCD comic called Dependency. Read more about how pip-rating works.

To check the dependencies of your project (pip-rating will detect your requirements file automatically) run this command in your project root:

$ pip-rating

To check the dependencies of a specific requirements file (pip-rating supports the files requirements.txt, requirements.in, setup.py, setup.cfg, pyproject.toml & Pipfile), run this command:

$ pip-rating analyze-file <requirements_file>

By default, pip-rating shows the results in text format. You can also get the results in other formats like tree:

$ pip-rating analyze-file --format tree <requirements_file>

Pip-rating supports other formats like json or only-rating. You can see more examples in the documentation.

To analyze one or more packages, you can use the command pip-rating analyze-package:

$ pip-rating analyze-package <package_name>[ <other_package_name>]

Pip-rating can be used as a Github Action to check the dependencies of your project in every commit and periodically. To use this github action add a file like this to your project in the path .github/workflows/pip-rating.yml:

# .github/workflows/pip-rating.yml
# --------------------------------
name: Pip-rating

on:
  push:
    branches:
      - master
  schedule:
    - cron: '0 0 * * SUN'

jobs:
  build:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
      - uses: actions/checkout@v2
      - name: Run pip-rating
        uses: Nekmo/pip-rating@master
        with:
          create_badge: true
          badge_style: flat-square
          badge_branch: pip-rating-badge

You can see the execution of the action in the "Actions" tab of your repository. The badge is generated in the pip-rating-badge branch, so you can access it as:

https://raw.githubusercontent.com/<owner>/<repository>/pip-rating-badge/pip-rating-badge.svg

For more info about the action, see the Github Action documentation.

• Analyze the dependencies recursively.
• Report of dependencies with vulnerabilities.
• Rating according to the age of the project and the date of the last release.
• Use of stars, number of contributors, and other criteria to define a community rating.
• Detect the impersonalization of the dependencies using cross references.
• Support for multiple formats: text, tree, json or only-rating.

Read more about pip-rating in the documentation.

This project developed by Nekmo.

Pip-rating is licensed under the MIT license.