Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Since pip
is a command-line-tool, it does not have
an official, supported, importable
API.
However, this does not mean that people haven't tried to import pip
, usually
to end up with much headache when pip
's maintainers do routine refactoring.
The goal of this project is to provide an importable pip
API, which is fully
compliant with the recommended method of using pip
from your program.
How? By providing an importable API that wraps command-line calls to pip
,
this library can be used as a drop-in replacement for existing uses of pip
's
internal API.
This goal means that any new API added here must have the following equivalents:
pip
API (or combination of internal APIs)Any functionality that is not currently possible from internal pip
API or
CLI calls is out of scope.
You can install pip-api
with either pip
or with conda
.
With pip:
python -m pip install pip-api
With conda:
conda install -c conda-forge pip-api
Not all commands are supported in all versions of pip
and on all platforms.
If the command you are trying to use is not compatible, pip_api
will raise a
pip_api.exceptions.Incompatible
exception for your program to catch.
pip
versions:pip_api.version()
Returns the
pip
version as a string, e.g."9.0.1"
pip_api.installed_distributions(local=False)
Returns a list of all installed distributions as a
Distribution
object with the following attributes:
Distribution.name
(string
): The name of the installed distributionDistribution.version
(packaging.version.Version
): The version of the installed distributionDistribution.location
(string
): The location of the installed distributionDistribution.editable
(bool
): Whether the distribution is editable or not Optionally takes alocal
parameter to filter out globally-installed packages
pip_api.parse_requirements(filename, options=None, include_invalid=False, strict_hashes=False)
Takes a path to a filename of a Requirements file. Returns a mapping from package name to a
pip_api.Requirement
object (subclass ofpackaging.requirements.Requirement
) with the following attributes:
Requirement.name
(string
): The name of the requirement.Requirement.extras
(set
): A set of extras that the requirement specifies.Requirement.specifier
(packaging.specifiers.SpecifierSet
): ASpecifierSet
of the version specified by the requirement.Requirement.marker
(packaging.markers.Marker
): AMarker
of the marker for the requirement. Can beNone
.Requirement.hashes
(dict
): A mapping of hashes for the requirement, corresponding to--hash=...
options.Requirement.editable
(bool
): Whether the requirement is editable, corresponding to-e ...
Requirement.filename
(str
): The filename that the requirement originates from.Requirement.lineno
(int
): The source line that the requirement was parsed from.Optionally takes an
options
parameter to override the regex used to skip requirements lines. Optionally takes aninclude_invalid
parameter to return anUnparsedRequirement
in the event that a requirement cannot be parsed correctly. Optionally takes astrict_hashes
parameter to require that all requirements have associated hashes.
pip>=8.0.0
:pip_api.hash(filename, algorithm='sha256')
Returns the resulting as a string. Valid
algorithm
parameters are'sha256'
,'sha384'
, and'sha512'
pip>=19.2
:pip_api.installed_distributions(local=False, paths=[])
As described above, but with an extra optional
paths
parameter to provide a list of locations to look for installed distributions. Attempting to use thepaths
parameter withpip<19.2
will result in aPipError
.
This library is in use by a number of other tools, including:
pip-audit
, to analyze dependencies for known vulnerabilitiespytest-reqs
, to compare requirements files with test dependencieshashin
, to add hash pinning to requirements filesFAQs
An unofficial, importable pip API
We found that pip-api demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.