pip-requirements-parser

v32.0.1

pip requirements parser - a mostly correct pip requirements parsing library because it uses pip's own code. For more information about how to use this package see README

Latest version published 1 year ago

License: MIT

PyPI

GitHub

Package Health Score

66 / 100

security
No known security issues
popularity
Popular
maintenance
Inactive
community
Sustainable

Explore Similar Packages

pipfile
64

Popularity

Popular

GitHub Stars: 16
Forks: 8
Contributors: 200

Direct Usage Popularity

Based on project statistics from the GitHub repository for the PyPI package pip-requirements-parser, we found that it has been starred 16 times.

Security

No known security issues

Security and license risk for latest version

Release Date: Dec 21, 2022
Direct Vulnerabilities: 0
C
0
H
0
M
0
L
Indirect Vulnerabilities: 0
C
0
H
0
M
0
L
License Risk: 0
H
0
M
0
L

All security vulnerabilities belong to production dependencies of direct and indirect packages.

License

MIT

Security Policy

We found a way for you to contribute to the project! Looks like pip-requirements-parser is missing a security policy.

You can connect your project's repository to Snyk to stay up to date on security alerts and receive automatic fix pull requests.

Keep your project free of vulnerabilities with Snyk

Maintenance

Inactive

Commit Frequency

Open Issues: 12
Open PR: 2
Last Release: 1 year ago
Last Commit: 5 months ago

Further analysis of the maintenance status of pip-requirements-parser based on released PyPI versions cadence, the repository activity, and other data points determined that its maintenance is Inactive.

An important project maintenance signal to consider for pip-requirements-parser is that it hasn't seen any new versions released to PyPI in the past 12 months, and could be considered as a discontinued project, or that which receives low attention from its maintainers.

In the past month we didn't find any pull request activity or change in issues status has been detected for the GitHub repository.

Community

Sustainable

Readme: Yes
Contributing.md: No
Code of Conduct: Yes
Contributors: 200
Funding: No

A good and healthy external contribution signal for pip-requirements-parser project, which invites more than one hundred open source maintainers to collaborate on the repository.

Embed Package Health Score Badge

Keep your project healthy

Check your requirements.txt

Ensure all the packages you're using are healthy and well-maintained

Snyk Vulnerability Scanner

Get health score & security insights directly in your IDE

Package

Python Versions Compatibility: >=3.6.0

Age: 2 years
Latest Release: 1 year ago
Dependencies: 2 Direct / 2 Total
Versions: 6
Maintainers: 4
Wheels: OS Independent

Readme

pip-requirements-parser - a mostly correct pip requirements parsing library

Copyright (c) nexB Inc. and others. Copyright (c) The pip developers (see AUTHORS.rst file) SPDX-License-Identifier: MIT Homepage: and

pip-requirements-parser is a mostly correct pip requirements parsing library ... because it uses pip's own code!

pip is the package installer for Python that is using "requirements" text files listing the packages to install.

Per :

> "The requirements file format is closely tied to a number of internal > details of pip (e.g., pip’s command line options). The basic format is > relatively stable and portable but the full syntax, as described here, > is only intended for consumption by pip, and other tools should take > that into account before using it for their own purposes."

And per

> "[..] pip is a command line program. While it is implemented in > Python, and so is available from your Python code via import pip, you > must not use pip’s internal APIs in this way." > > "What this means in practice is that everything inside of pip is > considered an implementation detail. Even the fact that the import > name is pip is subject to change without notice. While we do try not > to break things as much as possible, all the internal APIs can change > at any time, for any reason. It also means that we generally won’t fix > issues that are a result of using pip in an unsupported way."

Because of all this, pip requirements are notoriously difficult to parse right in all their diversity because:

pip does not have a public API and therefore cannot be reliably used as a stable library. Some libraries attempt to do this though. (See Alternative)
The pip requirements file syntax is closely aligned with pip's command line interface and command line options. In some ways a pip requirements file is a list of pip command line options and arguments. Therefore, it is hard to parse these short of reproducing the pip command line options parsing. At least one other library is using a command line option parser to parse options correctly.

This pip-requirements-parser Python library is yet another pip requirements files parser, but this time doing it hopefully correctly and doing as well as pip does it, because this is using pip's own code.

The pip-requirements-parser library offers these key advantages:

Other requirements parsers typically do not work in all the cases that pip supports: parsing any requirement as seen in the wild will fail parsing some valid pip requirements. Since the pip-requirements-parser library is based on pip's own code, it works exactly like pip and will parse all the requirements files that pip can parse.
The pip-requirements-parser library offers a simple and stable code API that will not change without notice.
The pip-requirements-parser library is designed to work offline without making any external network call, while the original pip code needs network access.
The pip-requirements-parser library is a single file that can easily be copied around as needed for easy vendoring. This is useful as requirements parsing is often needed to bootstrap in a constrained environment.
The pip-requirements-parser library has only one external dependency on the common "packaging" package. Otherwise it uses only the standard library. The benefits are the same as being a single file: fewer moving parts helps with using it in more cases.
The pip-requirements-parser library reuses and passes the full subset of the pip test suite that deals with requirements. This is a not really surprising since this is pip's own code. The suite suite has been carefully ported and adjusted to work with the updated code subset.
The standard pip requirements parser depends on the requests HTTP library and makes network connection to PyPI and other referenced repositories when parsing. The pip-requirements-parser library works entirely offline and the requests dependency and calling has been entirely removed.
The pip-requirements-parser library has preserved the complete pip git history for the subset of the code we kept. The original pip code was merged from multiple modules keeping all the git history at the line/blame level using some git fu and git filter repo. The benefit is that we will be able to more easily track and merge future pip updates.
The pip-requirements-parser library has an extensive test suite made of:
- pip's own tests
- new unit tests
- new requirements test files (over 40 new test files)
- the tests suite of some of the main other requirement parsers including:
  
  > -
  > -
  > -
  > -

As a result, it has likely the most comprehensive requiremente parsing test suite around.

Usage

The entry point is the RequirementsFile object:

&gt;&gt;&gt; from pip_requirements_parser import RequirementsFile
&gt;&gt;&gt; rf = RequirementsFile.from_file("requirements.txt")

From there, you can dump to a dict::
>>> rf.to_dict()

Or access the requirements (either InstallRequirement or EditableRequirement objects):

&gt;&gt;&gt; for req in rf.requirements:
...    print(req.to_dict())
...    print(req.dumps())

And the various other parsed elements such as options, commenst and invalid lines that have a parsing error:

&gt;&gt;&gt; rf.options
&gt;&gt;&gt; rf.comment_lines
&gt;&gt;&gt; rf.invalid_lines

Each of these and the requirements hahve a "requirement_line" attribute with the original text.

Finally you can get a requirements file back as a string:

&gt;&gt;&gt; rf.dumps()

Alternative

There are several other parsers that either:

Implement their own parsing and can therefore miss some subtle differences
Or wrap and import pip as a library, working around the lack of pip API

None of these use the approach of reusing and forking the subset of pip that is needed to parse requirements. The ones that wrap pip require network access like pip does. They potentially need updating each time there is a new pip release. The ones that reimplement pip parsing may not support all pip specifics.

Implement a new pip parser

pip-api does not support hashes and certain pip options. It does however use argparse for parsing options and is therefore correctly handling most options. The parser is a single script that only depends on packaging (that is vendored). It is not designed to be used as a single script though and pip is a dependency.
requirements-parser does not support hashes and certain pip options
dparse

Reuse and wrap pip's own parser

requirementslib uses pip-shim which is a set of "shims" around each pip versions in an attempt to offer an API to pip. Comes with 20+ dependencies,
micropipenv
pip-tools

pip-requirements-parser dependencies

packaging pyparsing

FAQs

What is pip-requirements-parser?

pip requirements parser - a mostly correct pip requirements parsing library because it uses pip's own code. Visit Snyk Advisor to see a full health score report for pip-requirements-parser, including popularity, security, maintenance & community analysis.

Is pip-requirements-parser popular?

The python package pip-requirements-parser receives a total of 239,546 weekly downloads. As such, pip-requirements-parser popularity was classified as a popular. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is pip-requirements-parser well maintained?

We found indications that pip-requirements-parser is an Inactive project. See the full package health analysis to learn more about the package maintenance status.

Is pip-requirements-parser safe to use?

The python package pip-requirements-parser was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 25 April-2024, at 01:13 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP