pyparsing

pyparsing has been my go-to for building parsers in Python for years, particularly for config files and DSLs. From a security perspective, it's notably safe-by-default: no eval() calls, no arbitrary code execution risks, and parsing failures don't expose internal state. The library validates input structurally without injection vulnerabilities that plague regex-based parsers. I've used it for parsing user-supplied configuration formats where security matters.

The main practical challenge is error handling - parse exceptions can be cryptic and don't always clearly indicate what input caused the failure or where. You'll need to wrap parsing logic carefully to avoid leaking structural details about your grammar in production error messages. The library itself has minimal dependencies (pure Python), which dramatically reduces supply chain risk. No crypto/TLS concerns since it's a pure parsing library.

Day-to-day, the API is verbose compared to regex but far more maintainable for complex grammars. Performance is acceptable for moderate-size inputs but not suitable for parsing gigabytes of data. The lack of CVEs in its long history is reassuring.

Pyparsing offers an elegant Python-native approach to building parsers without external DSLs or code generation. The declarative grammar syntax is intuitive once you understand it, and the ability to attach parse actions makes transforming results straightforward. However, this convenience comes at a steep cost in production environments.

Performance is the elephant in the room. For anything beyond toy examples or config file parsing, pyparsing is painfully slow—easily 10-100x slower than alternatives like lark-parser or hand-written parsers. Memory consumption scales poorly with input size due to extensive object creation during parsing. There's no built-in memoization or packrat parsing by default in older versions, and enabling it requires understanding internal implementation details.

Error messages are cryptic and unhelpful for end users. When a parse fails, you get stack traces and parser state dumps that are useless for providing actionable feedback. No timeout controls exist, so malicious or malformed input can hang your service indefinitely. The library wasn't designed with production observability in mind—adding metrics or tracing requires invasive instrumentation.

Pyparsing is a pure-Python parser combinator library that lets you build complex grammars without external tools. While powerful, the API feels dated and verbose compared to modern alternatives. The operator overloading (`+`, `|`, `<<`) for building grammars is clever but becomes cryptic in larger parsers. Type hints are minimal to non-existent, making IDE autocompletion nearly useless—you'll constantly reference docs to remember method names and parameters.

Error messages during parsing failures are often vague, showing position indices without helpful context about what was expected. Debugging requires liberal use of `setDebug()` and carefully tracing through grammar rules. The learning curve is real: combining `Forward()`, `Group()`, `Suppress()`, and action functions requires trial-and-error to get right.

Documentation is comprehensive but dense, with examples scattered across the module docstrings. The 'Getting Started' guide helps, but you'll need significant time investment to become productive. For simple parsing tasks, regex or string methods are easier; for complex grammars, modern parser generators or libraries with better DX might be worth exploring.