Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Uproot is a reader and a writer of the ROOT file format using only Python and Numpy. Unlike the standard C++ ROOT implementation, Uproot is only an I/O library, primarily intended to stream data into machine learning libraries in Python. Unlike PyROOT and root_numpy, Uproot does not depend on C++ ROOT. Instead, it uses Numpy to cast blocks of data from the ROOT file as Numpy arrays.
Uproot can be installed from PyPI using pip (Awkward Array is optional but highly recommended):
pip install uproot awkward
Uproot is also available using conda (so is Awkward Array, which conda installs automatically):
conda install -c conda-forge uproot
If you have already added conda-forge
as a channel, the -c conda-forge
is unnecessary. Adding the channel is recommended because it ensures that all of your packages use compatible versions:
conda config --add channels conda-forge
conda update --all
Note: if you need to write ROOT files, you'll need to use the deprecated uproot3 for now. This feature is coming to the new version soon.
Start with the tutorials and reference documentation.
Uproot is an ordinary Python library; you can get a copy of the code with
git clone https://github.com/scikit-hep/uproot4.git
and install it locally by calling pip install .
in the repository directory.
If you need to develop Awkward Array as well, see its installation for developers.
Uproot's only strict dependency is NumPy. This is the only dependency that pip will automatically install.
Awkward Array is highly recommended. It is not a strict dependency to allow Uproot to be used in restrictive environments. If you're using Uproot without Awkward Array, you'll have to use the library="np"
option or globally set uproot.default_library
to return arrays as NumPy arrays (see documentation).
awkward
: be sure to use Awkward Array 1.x.The following libraries are also useful in conjunction with Uproot, but are not necessary. If you call a function that needs one, you'll be prompted to install it. (Conda installs most of these automatically.)
For ROOT files, compressed different ways:
lz4
and xxhash
: only if reading ROOT files that have been LZ4-compressed.zstandard
: only if reading ROOT files that have been ZSTD-compressed.backports.lzma
: only if reading ROOT files that have been LZMA-compressed (in Python 2).For remote data:
xrootd
: only if reading files with root://
URLs.For exporting data to other libraries:
pandas
: only if library="pd"
.cupy
: only if library="cp"
(reads arrays onto GPUs).boost-histogram
: only if converting histograms to boost-histogram with histogram.to_boost()
.hist
: only if converting histograms to hist with histogram.to_hist()
.Support for this work was provided by NSF cooperative agreement OAC-1836650 (IRIS-HEP), grant OAC-1450377 (DIANA/HEP) and PHY-1520942 (US-CMS LHC Ops).
Thanks especially to the gracious help of Uproot contributors (including the original repository).
💻: code, 📖: documentation, 🚇: infrastructure, 🚧: maintainance, ⚠: tests and feedback, 🤔: foundational ideas.
FAQs
ROOT I/O in pure Python and NumPy.
We found that uproot4 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.