I built PyPIPlus.com a tool to explore Python packages in depth and I’d love your feedback. In the past, two of my posts about this project went viral, and the feedback from the community helped shape it into what it is today. Now I’m focusing on how PyPIPlus can specifically help cybersecurity teams, researchers, and anyone interested in the security side of Python packages:

Below is what the site currently does: PyPIPlus.com can be used to check a python package dependencies (incl. extras), reverse dependents, OSV CVEs, licenses, health score, purity, and to generate offline ready to install bundles.

• Dependency tree: direct + transitive deps, extras, env markers
• Reverse dependents: what other packages use this package
• Security: OSV CVEs per version, affected/fixed ranges, CSV exports/copy
• Licenses: per package and each sub-dependancy in a full tree view
• Health score: 0–100 + A–F (last updates, security vuln, docs, etc.. )
• Purity: pure-Python vs compiled via analysis wheel tags/build metadata (only marked pure python if the package and all dependancies are pure)
• Offline bundles: all wheels + SBOM + licenses, reproducible and air-gapped

Bundle contents:

wheels/ → all dependency wheels requirements.txt → pinned versions install.py → universal installer (Windows/macOS/Linux) sbom.cdx.json → CycloneDX SBOM for security scans LICENSES.md → license summary for all packages NOTICE → attribution (when required) 

Install: python install.py
Scan: osv-scanner --sbom sbom.cdx.json

Live: https://pypiplus.com
Example (flask v2.3.1): https://pypiplus.com/project/flask/2.3.1/

Previous Posts:

If you’re new to the project:

• I made PyPIPlus.com — a faster way to see all dependencies of any Python package