| Name | pipask JSON |
| Version |
0.9.7
JSON |
| download |
| home_page | None |
| Summary | Safer python package installation with audit and consent before install |
| upload_time | 2025-09-07 09:35:10 |
| maintainer | None |
| docs_url | None |
| author | Feynmanix |
| requires_python | >=3.10 |
| license | MIT |
| keywords |
pip
security
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# pipask: Know What You're Installing Before It's Too Late
A safer way to install Python packages without compromising convenience.
Pipask is a drop-in replacement for pip that performs security checks before installing a package.
Unlike `pip`, which needs to download and execute code from source distribution first to get dependency metadata,
pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first.
The actual installation is handed over to `pip` if installation is approved.
See the **[introductory blog post](https://medium.com/data-science-collective/pipask-know-what-youre-installing-before-it-s-too-late-2a6afce80987)** for more information.
## Installation
The recommended way to install `pipask` is with [pipx](https://pipx.pypa.io/stable/#install-pipx) to isolate dependencies:
```bash
pipx install pipask
```
Alternatively, you can install it using `pip`:
```bash
pip install pipask
```
## Usage
Use `pipask` exactly as you would use `pip`:
```bash
pipask install requests
pipask install 'fastapi>=0.100.0'
pipask install -r requirements.txt
```
For maximum convenience, alias pip to point to pipask:
```bash
alias pip='pipask'
```
Add this to your shell configuration file (`~/.bashrc`, `~/.bash_profile`, `~/.zshrc`, etc.). You can always fall back to native pip with `python -m pip` if needed.
To run checks without installing, use the `--dry-run` flag:
```bash
pipask install requests --dry-run
```
## Security Checks
Pipask performs these checks before allowing installation:
* **Repository popularity** - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars with bold warning below 100)
* **Package and release age** - warning for new packages (less than 22 days old) or stale releases (older than 365 days)
* **Known vulnerabilities** in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)
* **Number of downloads** from PyPI in the last month (failure below 100 downloads and warning below 5000)
* **Metadata verification**: Checks for license availability, development status, and yanked packages
All checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.
## How pipask works
Under the hood, pipask:
1. Uses PyPI's JSON API to retrieve metadata without downloading or executing code
2. When code execution is unavoidable, asks for confirmation first
3. Collects security information from multiple sources:
- Download statistics from pypistats.org
- Repository popularity from GitHub or GitLab
- Vulnerability details from OSV.dev
- Attestation metadata from PyPI integrity API
4. Presents a formatted report and asks for consent
- _Tip: You may notice some parts of the report are underlined on supported terminals. These are hyperlinks you can open (e.g., with Cmd+click in iTerm)_
6. Hands over to standard pip for the actual installation if approved
## Development
See [CONTRIBUTING.md](https://github.com/feynmanix/pipask/blob/main/CONTRIBUTING.md) for development guidance.
Raw data
{
"_id": null,
"home_page": null,
"name": "pipask",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "pip, security",
"author": "Feynmanix",
"author_email": "feynmanix@users.noreply.github.com",
"download_url": "https://files.pythonhosted.org/packages/f1/29/5f4e526f47dc279bca2608668fb17b8f36ec75ebe1d1bc55fa904aec7e4c/pipask-0.9.7.tar.gz",
"platform": null,
"description": "# pipask: Know What You're Installing Before It's Too Late\nA safer way to install Python packages without compromising convenience.\n\n\nPipask is a drop-in replacement for pip that performs security checks before installing a package.\nUnlike `pip`, which needs to download and execute code from source distribution first to get dependency metadata, \npipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first.\nThe actual installation is handed over to `pip` if installation is approved.\n\nSee the **[introductory blog post](https://medium.com/data-science-collective/pipask-know-what-youre-installing-before-it-s-too-late-2a6afce80987)** for more information.\n\n## Installation\n\nThe recommended way to install `pipask` is with [pipx](https://pipx.pypa.io/stable/#install-pipx) to isolate dependencies:\n```bash\npipx install pipask\n```\n\nAlternatively, you can install it using `pip`:\n```bash\npip install pipask\n```\n \n## Usage\n\nUse `pipask` exactly as you would use `pip`:\n```bash\npipask install requests\npipask install 'fastapi>=0.100.0'\npipask install -r requirements.txt\n```\n\nFor maximum convenience, alias pip to point to pipask:\n```bash\nalias pip='pipask'\n```\n\nAdd this to your shell configuration file (`~/.bashrc`, `~/.bash_profile`, `~/.zshrc`, etc.). You can always fall back to native pip with `python -m pip` if needed.\n\nTo run checks without installing, use the `--dry-run` flag:\n```bash\npipask install requests --dry-run\n```\n\n## Security Checks\n\nPipask performs these checks before allowing installation:\n\n* **Repository popularity** - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars with bold warning below 100)\n* **Package and release age** - warning for new packages (less than 22 days old) or stale releases (older than 365 days)\n* **Known vulnerabilities** in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)\n* **Number of downloads** from PyPI in the last month (failure below 100 downloads and warning below 5000)\n* **Metadata verification**: Checks for license availability, development status, and yanked packages\n\nAll checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.\n\n## How pipask works\n\nUnder the hood, pipask:\n\n1. Uses PyPI's JSON API to retrieve metadata without downloading or executing code\n2. When code execution is unavoidable, asks for confirmation first\n3. Collects security information from multiple sources:\n - Download statistics from pypistats.org\n - Repository popularity from GitHub or GitLab\n - Vulnerability details from OSV.dev\n - Attestation metadata from PyPI integrity API\n4. Presents a formatted report and asks for consent\n - _Tip: You may notice some parts of the report are underlined on supported terminals. These are hyperlinks you can open (e.g., with Cmd+click in iTerm)_\n6. Hands over to standard pip for the actual installation if approved\n\n## Development\nSee [CONTRIBUTING.md](https://github.com/feynmanix/pipask/blob/main/CONTRIBUTING.md) for development guidance.\n\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Safer python package installation with audit and consent before install",
"version": "0.9.7",
"project_urls": {
"Documentation": "https://github.com/feynmanix/pipask/blob/main/README.md",
"Repository": "https://github.com/feynmanix/pipask"
},
"split_keywords": [
"pip",
" security"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "2d749ec6c2c7871b7232152490096301ed1f952901f2ca5eb5803e4fb2e84ce9",
"md5": "bf2d32df134923b199da7817973a817e",
"sha256": "f413289ab9423d7e70b6630a323051fa3b49ced2c4bc5e20154ce54e5aeb1860"
},
"downloads": -1,
"filename": "pipask-0.9.7-py3-none-any.whl",
"has_sig": false,
"md5_digest": "bf2d32df134923b199da7817973a817e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 406109,
"upload_time": "2025-09-07T09:35:08",
"upload_time_iso_8601": "2025-09-07T09:35:08.772783Z",
"url": "https://files.pythonhosted.org/packages/2d/74/9ec6c2c7871b7232152490096301ed1f952901f2ca5eb5803e4fb2e84ce9/pipask-0.9.7-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "f1295f4e526f47dc279bca2608668fb17b8f36ec75ebe1d1bc55fa904aec7e4c",
"md5": "9029aee8cf92b3d78f5c0fa5dda70222",
"sha256": "fa85b21348be45132c26abc2b9141159a5bd3ab3429fa4e5cbea90e6a2661306"
},
"downloads": -1,
"filename": "pipask-0.9.7.tar.gz",
"has_sig": false,
"md5_digest": "9029aee8cf92b3d78f5c0fa5dda70222",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 326957,
"upload_time": "2025-09-07T09:35:10",
"upload_time_iso_8601": "2025-09-07T09:35:10.575361Z",
"url": "https://files.pythonhosted.org/packages/f1/29/5f4e526f47dc279bca2608668fb17b8f36ec75ebe1d1bc55fa904aec7e4c/pipask-0.9.7.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-07 09:35:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "feynmanix",
"github_project": "pipask",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "pipask"
}
