feynmanix/pipask: Safer python package installs with audit and consent 𝘣𝘦𝘧𝘰𝘳𝘦 install

A safer way to install Python packages without compromising convenience.

Pipask is a drop-in replacement for pip that performs security checks before installing a package.
Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata,
pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first.
The actual installation is handed over to pip if installation is approved.

See the introductory blog post for more information.

The recommended way to install pipask is with pipx to isolate dependencies:

Alternatively, you can install it using pip:

Use pipask exactly as you would use pip:

pipask install requests
pipask install 'fastapi>=0.100.0'
pipask install -r requirements.txt

For maximum convenience, alias pip to point to pipask:

Add this to your shell configuration file (~/.bashrc, ~/.bash_profile, ~/.zshrc, etc.). You can always fall back to native pip with python -m pip if needed.

To run checks without installing, use the --dry-run flag:

pipask install requests --dry-run

Pipask performs these checks before allowing installation:

• Repository popularity – verification of links from PyPI to repositories, number of stars on GitHub or GitLab source repo (warning below 1000 stars)
• Package and release age – warning for new packages (less than 22 days old) or stale releases (older than 365 days)
• Known vulnerabilities in the package available in PyPI (failure for HIGH or CRITICAL vulnerabilities, warning for MODERATE vulnerabilities)
• Number of downloads from PyPI in the last month (warning below 1000 downloads)
• Metadata verification: Checks for license availability, development status, and yanked packages

All checks are executed for requested (i.e., explicitly specified) packages. Only the known vulnerabilities check is executed for transitive dependencies.

Under the hood, pipask:

1. Uses PyPI’s JSON API to retrieve metadata without downloading or executing code
2. When code execution is unavoidable, asks for confirmation first
3. Collects security information from multiple sources:
   • Download statistics from pypistats.org
   • Repository popularity from GitHub or GitLab
   • Vulnerability details from OSV.dev
   • Attestation metadata from PyPI integrity API
4. Presents a formatted report and asks for consent
5. Hands over to standard pip for the actual installation if approved

See CONTRIBUTING.md for development guidance.