Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / pandas-dev / pandas

Flexible and powerful data analysis / manipulation library for Python, providing labeled data structures similar to R data.frame objects, statistical functions, and much more

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pandas-dev%2Fpandas
PURL: pkg:github/pandas-dev/pandas

Stars: 47,118
Forks: 19,305
Open issues: 3,624

License: bsd-3-clause
Language: Python
Size: 359 MB
Dependencies parsed at: Pending

Created at: about 15 years ago
Updated at: 4 days ago
Pushed at: 4 days ago
Last synced at: 4 days ago

Commit Stats

Commits: 32480
Authors: 3714
Mean commits per author: 8.75
Development Distribution Score: 0.851
More commit stats: https://commits.ecosyste.ms/hosts/GitHub/repositories/pandas-dev/pandas

Topics: alignment, data-analysis, data-science, flexible, pandas, python

Funding Links https://pandas.pydata.org/donate.html, https://github.com/sponsors/numfocus, https://tidelift.com/funding/github/pypi/pandas

OpenSSF Scorecard report

6.4

Overall Score

10/10 Critical Risk
38/70 High Risk
27/40 Medium Risk
30/40 Low Risk
Generated on December 10, 2022 | Scorecard vv4.8.0
Security Checks
10/10
Binary-Artifacts
High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10
CI-Tests
Low Risk

30 out of 30 merged PRs checked by a CI test -- score normalized to 10

Determines if the project runs tests before pull requests are merged.

10/10
Contributors
Low Risk

47 different organizations found -- score normalized to 10

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

Show details
ℹ️ Info: contributors work for 84.51,JuliaLang,OS-Maintainer-Feedback-Group,Quansight,Quansight-Labs,Toblerity,airspeed-velocity,altos-research,apache,asv-runner,blaze,conda-forge,dask,data-apis,datapad,denodrivers,denolib,dlr,euroscipy,geopandas,ibis-project,innobi,maintainers,mesonbuild,microsoft,numfocus,pandanistas,pandas-dev,pandas-ml,pangeo-data,paris-saclay-cds,pattern3,pydata,pygeos,python-sprints,quansight,rapidsai,resample-project,scientific-python,scikit-learn,shapely,stan-ja,statsmodels,tubitv,ursa-labs,voltrondata,washington university in st. louis
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
Fuzzing
Medium Risk

project is fuzzed with [OSSFuzz]

Determines if the project uses fuzzing.

10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: : LICENSE:1
10/10
Maintained
High Risk

30 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Security-Policy
Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details
ℹ️ Info: security policy detected in org repo: github.com/pandas-dev/.github/SECURITY.md:1
10/10
Vulnerabilities
High Risk

no vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

8/10
Code-Review
High Risk

25 out of last 30 changesets reviewed before merge -- score normalized to 8

Determines if the project requires code review before pull requests (aka merge requests) are merged.

7/10
SAST
Medium Risk

SAST tool detected but not run on all commmits

Determines if the project uses static code analysis.

Show details
⚠️ Warn: 0 commits out of 30 are checked with a SAST tool
ℹ️ Info: SAST tool detected: CodeQL
0/10
CII-Best-Practices
Low Risk

no badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Dependency-Update-Tool
High Risk

no update tool detected

Determines if the project uses a dependency update tool.

Show details
⚠️ Warn: dependabot config file not detected in source location. We recommend setting this configuration in code so it can be easily verified by others.
⚠️ Warn: renovatebot config file not detected in source location. We recommend setting this configuration in code so it can be easily verified by others.
0/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/32-bit-linux.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/32-bit-linux.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/asv-bot.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/asv-bot.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:180: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/code-checks.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/code-checks.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docbuild-and-upload.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docbuild-and-upload.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/macos-windows.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/macos-windows.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-checks.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-checks.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-dev.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-dev.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecards.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale-pr.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/stale-pr.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/ubuntu.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin
⚠️ Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python to python@sha256:1a91094b2729a1d78fa2bb3260b94576447b20d05346d983e9c2f4fd72c6d9b5
⚠️ Warn: containerImage not pinned by hash: gitpod/Dockerfile:28: pin your Docker image by updating gitpod/workspace-base to gitpod/workspace-base@sha256:8773ee3145fc7549a6a1faf2f3d102ce677b2d5de17e8d531ff2abb7defa4c0c
⚠️ Warn: containerImage not pinned by hash: gitpod/gitpod.Dockerfile:5: pin your Docker image by updating gitpod/workspace-base:latest to gitpod/workspace-base:latest@sha256:8773ee3145fc7549a6a1faf2f3d102ce677b2d5de17e8d531ff2abb7defa4c0c
⚠️ Warn: containerImage not pinned by hash: gitpod/gitpod.Dockerfile:14
⚠️ Warn: pipCommand not pinned by hash: Dockerfile:10
⚠️ Warn: pipCommand not pinned by hash: Dockerfile:11-12
⚠️ Warn: downloadThenRun not pinned by hash: gitpod/Dockerfile:73-76
⚠️ Warn: pipCommand not pinned by hash: gitpod/Dockerfile:90-96
⚠️ Warn: downloadThenRun not pinned by hash: .circleci/setup_env.sh:11
⚠️ Warn: pipCommand not pinned by hash: .circleci/setup_env.sh:62
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/code-checks.yml:188
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/wheels.yml:158
0/10
Signed-Releases
High Risk

0 out of 5 artifacts are signed or have provenance

Determines if the project cryptographically signs release artifacts.

Show details
⚠️ Warn: release artifact v1.5.2 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/83828286
⚠️ Warn: release artifact v1.5.2 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/83828286
⚠️ Warn: release artifact v1.5.1 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/80285645
⚠️ Warn: release artifact v1.5.1 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/80285645
⚠️ Warn: release artifact v1.5.0 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/77555797
⚠️ Warn: release artifact v1.5.0 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/77555797
⚠️ Warn: release artifact v1.4.4 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/75884284
⚠️ Warn: release artifact v1.4.4 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/75884284
⚠️ Warn: release artifact v1.5.0rc0 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/75212675
⚠️ Warn: release artifact v1.5.0rc0 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/75212675
0/10
Token-Permissions
High Risk

non read-only tokens detected in GitHub workflows

Determines if the project's workflows follow the principle of least privilege.

Show details
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/32-bit-linux.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/assign.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/assign.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/asv-bot.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=permissions
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/asv-bot.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/autoupdate-pre-commit-config.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=permissions
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/autoupdate-pre-commit-config.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/code-checks.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=permissions
⚠️ Warn: no topLevel permission defined: .github/workflows/codeql.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/docbuild-and-upload.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/macos-windows.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/macos-windows.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/package-checks.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/python-dev.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=permissions
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/sdist.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/stale-pr.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/stale-pr.yml/main?enable=permissions
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/ubuntu.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/ubuntu.yml/main?enable=permissions
⚠️ Warn: no topLevel permission defined: .github/workflows/wheels.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=permissions
N/A
Branch-Protection
Not Applicable

internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Determines if the default and release branches are protected with GitHub's branch protection settings.

N/A
Packaging
Not Applicable

no published package detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub publishing workflow detected