Top-gg-Community
error installing
Collecting git+https://github.com/top-gg/python-sdk/ (from -r requirements.txt (line 14)) Cloning https://github.com/top-gg/python-sdk/ to /tmp/pip-req-build-z18_guw1 Running command git clone --filter=blob:none --quiet https://github.com/top-gg/python-sdk/ /tmp/pip-req-build-z18_guw1 Resolved https://github.com/top-gg/python-sdk/ to commit 06844706605b2d368d6892933f7f1aae45be5dee Preparing metadata (setup.py) ... error error: subprocess-exited-with-error
× python setup.py egg_info did not run successfully. │ exit code: 1 ╰─> [1 lines of output] error in topggpy setup command: 'install_requires' must be a string or list of strings containing valid project/version requirement specifiers; Parse error at "'://files'": Expected stringEnd [end of output]
note: This error originates from a subprocess, and is likely not a problem with pip. error: metadata-generation-failed × Encountered error while generating package metadata. ╰─> See above for output. note: This is an issue with the package mentioned above, not pip.
I believe that this package has malware on it. This commit was covered by 19 other junk commits: https://github.com/top-gg/python-sdk/commit/ecb87731286d72c8b8172db9671f74bd42c6c534
The base58 package has something to do with cryptocurrency and the DateTime package has something to do with APIs
My recommendation as of now is to ensure that none of these files are installed. Do not install this package until this is fixed. I have notified a maintainer of the project and hopefully, they can resolve this.
The safest option so far seems to be to install it directly from PyPi via pip install topggpy. There have been no updates past the previous 2 maintainers' (my own and @norinorin's) updates up until 2.0.0a (alpha) or 1.4.0 (stable) pushed to the PyPi package since then and I have not been contacted by anyone regarding ownership of the package to this day.
The entire master branch seems to have been overwritten, interestingly enough. My presumption (hooray unnecessary drama!) is that the maintainer wanted to remove the credit of the previous maintainers.
TL:DR: PyPi is the way, screw this repo until it's somehow fixed.
Personal input, feel free to ignore
This also brings up a question on my side of how the repositories are managed currently if a random person is given direct access to the repository whereas the previous two maintainers had to wiggle our way into PRs and them actually being reviewed.
Additionally, to prevent any further misunderstandings or reasons to worry, I will not update the PyPi package page to remove the Install from Git part until:
- this matter is resolved fully; or
- I am given the green light by Top.gg employees personally (For reference, my Discord username is
@tothebeat. Feel free to contact me here.).
Just a note about the Pypi release. I have been told that this will not work for users who are not using discord.py unless you add extra steps as the Pypi release still has d.py as a dependency.
Just a note about the Pypi release. I have been told that this will not work for users who are not using discord.py unless you add extra steps as the Pypi release still has d.py as a dependency.
Hey, if you're not using discord.py, installing the pre-release is the way to go (pip install topggpy --pre). It should be stable enough as far as my tests went. There are examples for discord.py (which theoretically should work with its forks) and hikari in the repo (hopefully it's not been tampered with, or look it up here if you want to be sure). Feel free to try it out and let me know if you encounter any issues.
Took a quick look and yep, 1.4.0 relies on d.py heavily as a dependency. 2.0.0a is the only way, big thanks to nori for the reply. 😁
Please take a look at #76, You're actually spreading malwares and anyone who installed your sdk on windows needs to check their system to get the malware removed
It's not related to #79. The issue occurred due to the malware dependency, which is now fixed.
Oh, my bad! I thought this issue was related to Python 3.12 in some way... Close it is.