PyPI Package Dependencies and Their Unintended Consequences


Crista Perlton

Crista Perlton


Do I really need to leave .NET Framework for .NET 8? 13th September, 2023

Demystifying Microsoft .NET Long Term Support (LTS) in 2024 30th August, 2023


PyPI Package Dependencies and Their Unintended Consequences

Posted on .

You’ve got a problem with your Python application. It won’t build even though it worked fine yesterday—so what gives? 

Well, have you checked your package dependencies lately?  

You know, when Python packages depend on other packages, and those packages depend on even more packages, and still more—leading to a complicated dependency tree.  

Having uncontrolled package dependencies can lead to some unintended consequences, like version conflict and even malicious and vulnerable packages. Let’s see what happens when you let those dependency trees go unchecked. 

Version conflict: Cause, Effect, Fix 

The first problem you might run into with package dependencies is version conflict: When two packages require different versions of the same package in order to function—meaning your Python application may not build. 

The issue here is that when you download projects from, package dependencies aren’t listed. You’ll need to view dependencies using one of these three commands in Python: 

  • Pip show displays information about one or more of your installed packages.  
  • Pipdeptree shows dependencies as a tree using a command line utility. 
  • Pip list will list installed packages with various conditions. 

These are ok—but they may not give you all the information you need in an easy-to-digest format. 

Backtracking: Cause, Effect, Fix 

Another problem you might run into with dependency trees is backtracking. When pip install tries to automatically figure out which dependencies a requested package needs, it will make some assumptions—assumptions that can be incorrect.  

In these instances, pip install will use backtracking—undoing some of the work it had already done and choosing a different path—and although backtracking is a feature and not a bug, it can also lead to version conflict. 

To fix it, you could use a version specifier that tells your package to accept the dependency version that you want. But version specifiers are not the end answer. By allowing version specifiers to automatically accept and download third-party packages, you could be downloading malicious or vulnerable packages

You need a better solution 

Remember, dependency trees lead to complex problems like version conflict, automatically accepting third-party packages, and even malicious packages. You need a solution to all those problems.  

ProGet’s Package Consumers displays all the applications that are using, or “consuming”, a specific package.  

So, if you have a package that requires 4,000 dependent packages, Package Consumers will quickly and easily show you every package—along with your application’s name and version. 

You’ll see which applications are being affected and be able to make relevant changes—not to mention, ProGet’s built-in vulnerability scanning will also help you spot any potentially vulnerable packages.  

Now you can control those Python package dependency trees with ease and have extra time to do what matters.

Crista Perlton

Crista Perlton