What’s New in Posit Package Manager 2024.11.0

Posit Package Manager 2024.11.0 is now available for download. See the full release notes for these and all other changes and improvements.

Enrich package information with custom metadata

This release introduces Metadata Services, a new set of features which allow you to enrich Package Manager’s built-in package information with your own metadata, for example:

• internal package scores
• package approval status
• CVE scores
• links to internal guides and documentation
• any other custom information that helps you manage your environments

Package Manager then displays your metadata in the web interface for each package:

What is metadata? In simplest terms, metadata is just information about packages. Public repositories like CRAN and PyPI provide a wealth of metadata about their packages, which we display on the Packages page in Package Manager. 

Many teams and organizations want to provide supplemental information about packages to their users but that information might be stuck in spreadsheets and other systems. We now provide the ability to add your own custom package metadata. This enables you to put everything your admins and users need to know about a package in one central location so you can:

• better and more easily understand and manage your critical environments, whether you are in pharmaceuticals, defense, finance, or other sensitive industries
• more efficiently provide users with important information
• reduce risk by removing doubt 

Metadata can be added manually using our CLI, or you can push data from its source directly to Package Manager via our Server API. Once in Package Manager, the additional metadata is displayed in the web UI, as well as available for querying via API. 

Where is this going? Future enhancements will enable:

• curating packages based on metadata
• blocking packages based on metadata
• and more, so stay tuned!

For more information about using Metadata Services, refer to our documentation.

Build wheels from git for Python packages

Package Manager will now build both the source distribution (sdist) and binary distribution (wheel) for a Python package if possible. In Package Manager 2023.12.0 we brought our popular Git Builders to Python for automated building and publishing of Python source distributions. This 2024.11.0 release expands that support to also build Python wheels – binary distributions of packages that speed up installation and reduce installation failures. 

You might need to install additional system dependencies to build wheels, especially for packages with compiled code. If a wheel build fails, Package Manager will fall back to building only the source distribution.

Wheels with compiled code will be specific to the operating system or distribution that Package Manager is running on. Users on other operating systems or distributions may still need to compile the source distribution when installing Git-built packages.

More flexible, granular package blocking

Now, Package Manager allows “blocklist” rules to be set on a per-repository basis, so administrators can enforce the blocking of specific packages in some repositories but not others. Allow analysts in your innovation labs to use any package while helping production analysts use only approved packages! This flexibility allows administrators to enforce the right level of security for each repository, keeping your teams productive with fewer interruptions and less risk.

Previously, blocklist rules could only be set at the source level, which meant blocked packages were unavailable for all repositories. Package blocking gives administrators a flexible way to restrict installation of specific packages to help enforce business policy and regulatory requirements. 

Offline PyPI Improvements

When in air-gapped environments, Package Manager now allows specifying version constraints for individual PyPI packages.

For those running Package Manager in an offline or air-gapped environment, we have expanded our support for Offline PyPI repositories. To reduce the amount of data that needs to be copied to your environment, you can specify version constraints for individual PyPI packages. Some popular Python packages have hundreds of older versions, and in many cases, you only want to make the most recent versions available to save disk space. Both specific versions or ranges of versions are now supported. 

If you’re a current customer, you can follow our instructions for upgrading Posit Package Manager. Curious if Package Manager can help your organization securely deliver Python and R packages internally? Learn more at posit.co/package-manager.