Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
DepHell -- project management for Python.
Why it is better than all other tools:
_internal
. Also, DepHell has a large ecosystem with separated libraries so you can use only the parts of DepHell that you need.pipenv install oslo.utils==1.4.0
. Pipenv can't handle it, but DepHell can: dephell deps add --from=Pipfile oslo.utils==1.4.0
to add new dependency and dephell deps convert --from=Pipfile --to=Pipfile.lock
to lock it.Features:
See documentation for more details.
Follow @PythonDepHell on Twitter to get updates about new features and releases.
curl -L dephell.org/install | python3
See installation documentation for alternatives.
egginfo
)sdist
)wheel
)pip
)piplock
)pipfile
)pipfilelock
)poetry
)poetrylock
)imports
).installed
).setuppy
)flit
)conda
)pyproject
)First of all, install DepHell and activate autocomplete:
python3 -m pip install --user dephell[full]
dephell self autocomplete
Let's get sampleproject and make it better.
git clone https://github.com/pypa/sampleproject.git
cd sampleproject
This project uses setup.py for dependencies and metainfo. However, this format is over-complicated for most projects. Let's convert it into poetry:
dephell deps convert --from=setup.py --to=pyproject.toml
It will make next pyproject.toml
:
[tool.poetry]
name = "sampleproject"
version = "1.2.0"
description = "A sample Python project"
authors = ["The Python Packaging Authority <pypa-dev@googlegroups.com>"]
readme = "README.md"
[tool.poetry.scripts]
sample = "sample:main"
[tool.poetry.dependencies]
python = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,<4,>=2.7"
coverage = {optional = true}
peppercorn = "*"
[tool.poetry.dev-dependencies]
check-manifest = "*"
[tool.poetry.extras]
test = ["coverage"]
Now, let's generate some useful files:
dephell generate authors
dephell generate license MIT
# https://editorconfig.org/
dephell generate editorconfig
Our users probably have not installed poetry, but they are likely to have pip and can install files from setup.py. Let's make it easier to generate setup.py
from our pyproject.toml
. Also, it points to DepHell as your default dependencies file. Add the following lines in the pyproject.toml
:
[tool.dephell.main]
from = {format = "poetry", path = "pyproject.toml"}
to = {format = "setuppy", path = "setup.py"}
You can see a full, real-world example of a config in DepHell's own pyproject.toml.
Now we can call DepHell commands without explicitly specifying from
and to
:
dephell deps convert
It will make setup.py and README.rst from pyproject.toml and README.md.
Now let's test our code in a virtual environment:
$ dephell venv run pytest
WARNING venv does not exist, creating... (project=/home/gram/Documents/sampleproject, env=main, path=/home/gram/.local/share/dephell/venvs/sampleproject-Whg0/main)
INFO venv created (path=/home/gram/.local/share/dephell/venvs/sampleproject-Whg0/main)
WARNING executable does not found in venv, trying to install... (executable=pytest)
INFO build dependencies graph...
INFO installation...
# ... pip output
# ... pytest output
We can now activate the virtual environment for our project and run any commands inside:
dephell venv shell
Ugh, we have tests, but don't have pytest
in our dependencies file. Let's add it:
dephell deps add --envs dev test -- pytest
Afer that our dev-dependencies looks like this:
[tool.poetry.dev-dependencies]
check-manifest = "*"
pytest = "*"
[tool.poetry.extras]
test = ["coverage", "pytest"]
Eventually we will have many more dependencies. Let's look at how many of them we have now:
$ dephell deps tree
- check-manifest [required: *, locked: 0.37, latest: 0.37]
- coverage [required: *, locked: 4.5.3, latest: 4.5.3]
- peppercorn [required: *, locked: 0.6, latest: 0.6]
- pytest [required: *, locked: 4.4.0, latest: 4.4.0]
- atomicwrites [required: >=1.0, locked: 1.3.0, latest: 1.3.0]
- attrs [required: >=17.4.0, locked: 19.1.0, latest: 19.1.0]
- colorama [required: *, locked: 0.4.1, latest: 0.4.1]
- funcsigs [required: >=1.0, locked: 1.0.2, latest: 1.0.2]
- more-itertools [required: <6.0.0,>=4.0.0, locked: 5.0.0, latest: 7.0.0]
- six [required: <2.0.0,>=1.0.0, locked: 1.12.0, latest: 1.12.0]
- more-itertools [required: >=4.0.0, locked: 7.0.0, latest: 7.0.0]
- pathlib2 [required: >=2.2.0, locked: 2.3.3, latest: 2.3.3]
- scandir [required: *, locked: 1.10.0, latest: 1.10.0]
- six [required: *, locked: 1.12.0, latest: 1.12.0]
- pluggy [required: >=0.9, locked: 0.9.0, latest: 0.9.0]
- py [required: >=1.5.0, locked: 1.8.0, latest: 1.8.0]
- setuptools [required: *, locked: 41.0.0, latest: 41.0.0]
- six [required: >=1.10.0, locked: 1.12.0, latest: 1.12.0]
Hm...Is it as many as it seems? Let's look at their size.
$ dephell inspect venv --filter=lib_size
11.96Mb
Ugh...Ok, it's Python. Are they actual?
$ dephell deps outdated
[
{
"description": "More routines for operating on iterables, beyond itertools",
"installed": [
"5.0.0"
],
"latest": "7.0.0",
"name": "more-itertools",
"updated": "2019-03-28"
},
]
Pytest
requires old version of more-itertools
. That happens.
If our tests and dependencies are OK, it's time to deploy. First of all, increment the project version:
$ dephell project bump minor
INFO generated new version (old=1.2.0, new=1.3.0)
And then build packages:
$ dephell project build
INFO dumping... (format=setuppy)
INFO dumping... (format=egginfo)
INFO dumping... (format=sdist)
INFO dumping... (format=wheel)
INFO builded
Now, we can upload these packages to PyPI:
dephell self auth upload.pypi.org my-username my-password
dephell project upload
These are some of the most useful commands. See documentation for more details.
DepHell is tested on Linux and Mac OS X with Python 3.5, 3.6, 3.7. And one of the coolest things is that DepHell is run by DepHell on Travis CI.
DepHell works on Windows but has no CI to keep in working yet.
Thank you :heart:
FAQs
Dependency resolution for Python
We found that dephell demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.