Troubleshooting

What is pip-rating used for?

Pip-rating is useful in many different scenarios:

  • Avoid introducing potentially malicious dependencies into your application.

  • Compare dependencies based on criteria such as community or age.

  • Monitor if your dependencies are no longer supported.

  • Check if there are vulnerabilities in any of your dependencies.

  • Check all your dependencies and their state as a tree.

Pip-rating can analyze the dependencies file of a library, a project, or a specific package.

What is the idea behind this project?

The idea for this project came from this great XKCD comic:

Dependency - from the XKCD comic 2347

The author of this comic is Randall Munroe from XKCD.

Why does my package have a low rate?

Pip-rating determines the score based on two main criteria:

  • The scoring criteria described in Scores breakdown.

  • The rating of the package’s dependencies. Your package rating cannot exceed the rating of its dependencies. That is, your package’s score is limited by your dependencies.

In the last point, it is indicated with the syntax Original rating -> new rating. For example: A -> C. In this example, A is your original score and C the new rating after apply this limitation.

You can see the analysis of your package in more detail using:

$ pip-rating analyze-package <your-package-name>

Please note that pip-rating uses open source such as Github. Pip-rating may not detect your source, and some scores may not add up to your rating.

why the github limit is exceeded?

Pip-rating uses Github to obtain information about the packages. Github has a limit of 60 requests per hour for unauthenticated users. If you exceed this limit, you will see an error like this:

$ pip-rating
GitHub rate limit exceeded. Set GITHUB_TOKEN environment variable to increase the limit.

This error is not critial and you can ignore it. But some information will not be available. If you want to increase the limit, you can create a Github token and use it as an environment variable:

$ export GITHUB_TOKEN=your-token
$ pip-rating

For read more about Github tokens, see this Github documentation.

I am having errors with Pip-rating. How can I report them?

You can report it on the issues page on Github. Before reporting, check that is a Pip-rating error and that is not duplicated. To make it easier to close the bug, add as much information possible.