Show HN: Pipask – safer pip without compromising convenience

Summary

pipask: Know What You're Installing Before It's Too Late A safer way to install Python packages without compromising convenience. Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip , which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved. See the introductory blog post for more information. Installation The recommended way to install pipask is with pipx to isolate dependencies: pipx install pipask Alternatively, you can install it using pip : pip install pipask Usage Use pipask exactly as you would use pip : pipask install requests pipask install ' fastapi>=0.100.0 ' pipask install -r requirements.txt For maximum convenience, alias pip to point to pipask: alias pip= ' pipask ' Add this to your shell configuration file ( ~/.bashrc , ~/.bash_profile , ~/.zshrc , etc.). You can always fall back to native pip with python -m pip if needed. To run checks without installing, use the --dry-run flag: pipask install requests --dry-run Security Checks Pipask performs these checks before allowing installation: Repository popularity - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars) - verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars) Package and release age - warning for new packages (less than 22 days old) or stale releases (older than 365 days) - warning for new packages (less than 22 days old) or stale releases (older than 365 days) Known vulnerabilities in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities) in the package available in PyPI (failure for HIGH or CRITIC...