Menu
Free Pack
Download BuildMaster Free Trial

PyPI Package Dependencies and their unintended consequences

by Crista Perlton, on May 3, 2022 2:54:00 AM

You’ve got a problem with your Python application. It won’t build even though it worked fine yesterday—so what gives? 

Well, have you checked your package dependencies lately?  

You know, when Python packages depend on other packages, and those packages depend on even more packages, and still more—leading to a complicated dependency tree.  

Having uncontrolled package dependencies can lead to some unintended consequences, like version conflict and even malicious and vulnerable packages. Let’s see what happens when you let those dependency trees go unchecked. 

Version conflict: Cause, Effect, Fix 

The first problem you might run into with package dependencies is version conflict: When two packages require different versions of the same package in order to function—meaning your Python application may not build. 

package-dependency

The issue here is that when you download projects from pypi.org, package dependencies aren’t listed. You’ll need to view dependencies using one of these three commands in Python: 

  • Pip show displays information about one or more of your installed packages.  
  • Pipdeptree shows dependencies as a tree using a command line utility. 
  • Pip list will list installed packages with various conditions. 

These are ok—but they may not give you all the information you need in an easy-to-digest format. 

Backtracking: Cause, Effect, Fix 

Another problem you might run into with dependency trees is backtracking. When pip install tries to automatically figure out which dependencies a requested package needs, it will make some assumptions—assumptions that can be incorrect.  

In these instances, pip install will use backtracking—undoing some of the work it had already done and choosing a different path—and although backtracking is a feature and not a bug, it can also lead to version conflict. 

To fix it, you could use a version specifier that tells your package to accept the dependency version that you want. But version specifiers are not the end answer. By allowing version specifiers to automatically accept and download third-party packages, you could be downloading malicious or vulnerable packages. 

You need a better solution 

Remember, dependency trees lead to complex problems like version conflict, automatically accepting third-party packages, and even malicious packages. You need a solution to all those problems.  

ProGet’s Package Consumers displays all the applications that are using, or “consuming”, a specific package.  

So, if you have a package that requires 4,000 dependent packages, Package Consumers will quickly and easily show you every package—along with your application’s name and version. 

You’ll see which applications are being affected and be able to make relevant changes—not to mention, ProGet’s built-in vulnerability scanning will also help you spot any potentially vulnerable packages.  

Now you can control those Python package dependency trees with ease and have extra time to do what matters.

Read more about Package Consumers and scanning

Related Posts

About Inedo

Inedo is a software product company bringing you the "tech behind the tech."

Makers of Windows-first, enterprise DevOps tools BuildMaster CI/CD, ProGet private package management, and Otter IaC. Maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster, all with the people and technology you have right now.

Follow us on social media

Follow Inedo on YouTube Follow Inedo on Facebook Follow Inedo Twitter New call-to-action

Free e-books

Free PowerShell Book NuGet for the Enterprise Guide Jenkins CICD Guide Free CICD Book Free dotnet book free IaC book