-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Typosquatting is a thing that has been looked at and is being looked at:
https://github.com/pypi/warehouse/pull/5001 - had to be reverted because it was too noisy
https://github.com/pypi/warehouse/issues/9527
Try using mamba (https://github.com/mamba-org/mamba)
We ran into many unsolvable or 30m+ solvable envs with conda that mamba handled quickly.
The underlying solver can be used with conda directly as well, but I have not done that (https://www.anaconda.com/blog/a-faster-conda-for-a-growing-c...)
Just to be clear, package metadata already is sort of available through the pypi json api. I've got the entire set of all package metadata here: https://github.com/orf/pypi-data
$ gzcat release_data/c/d/cdklabs.cdk-hyperledger-fabric-network.json.gz | jq '. | to_entries | .[].value.info.requires_dist' | head
If the package is available as a wheel, you don't need to execute code to see what the requirements are; you just need to parse the "METADATA" file. However, the only way to get the METADATA for a wheel (using PyPA standard APIs, anyway) is to download the whole wheel.
For comparison, pacman (the Arch Linux package manager) packages have fairly similar ".PKGINFO" file in them; but in order to support resolving dependencies without downloading the packages, the server's repository index includes not just a listing of the (name, version) tuple for each package, it also includes each package's full .PKGINFO.
Enhancing the PyPA "Simple repository API" to allow fetching the METADATA independently of the wheel would be a relatively simple enhancement that would make a big difference.
----
As I was writing this comment, I discovered that PyPA did this; adopting PEP 658 in March of this year. https://github.com/pypa/packaging.python.org/commit/1ebb57b7...
I did a proof-of-concept for this a few years ago: https://github.com/jogjayr/pykg
Related posts
-
Pyenv – lets you easily switch between multiple versions of Python
-
Adding Virtual Environments to Git Repo
-
Ransomware Python Packages Currently Being Published to PyPI
-
"Even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code"
-
Pip constraints files