PyPI Package Dependencies and their unintended consequences
by Crista Perlton, on May 3, 2022 2:54:00 AM
You’ve got a problem with your Python application. It won’t build even though it worked fine yesterday—so what gives?
Well, have you checked your package dependencies lately?
You know, when Python packages depend on other packages, and those packages depend on even more packages, and still more—leading to a complicated dependency tree.
Having uncontrolled package dependencies can lead to some unintended consequences, like version conflict and even malicious and vulnerable packages. Let’s see what happens when you let those dependency trees go unchecked.
Version conflict: Cause, Effect, Fix
The first problem you might run into with package dependencies is version conflict: When two packages require different versions of the same package in order to function—meaning your Python application may not build.
The issue here is that when you download projects from pypi.org, package dependencies aren’t listed. You’ll need to view dependencies using one of these three commands in Python:
- Pip show displays information about one or more of your installed packages.
- Pipdeptree shows dependencies as a tree using a command line utility.
- Pip list will list installed packages with various conditions.
These are ok—but they may not give you all the information you need in an easy-to-digest format.
Backtracking: Cause, Effect, Fix
Another problem you might run into with dependency trees is backtracking. When pip install tries to automatically figure out which dependencies a requested package needs, it will make some assumptions—assumptions that can be incorrect.
In these instances, pip install will use backtracking—undoing some of the work it had already done and choosing a different path—and although backtracking is a feature and not a bug, it can also lead to version conflict.
To fix it, you could use a version specifier that tells your package to accept the dependency version that you want. But version specifiers are not the end answer. By allowing version specifiers to automatically accept and download third-party packages, you could be downloading malicious or vulnerable packages.
You need a better solution
Remember, dependency trees lead to complex problems like version conflict, automatically accepting third-party packages, and even malicious packages. You need a solution to all those problems.
ProGet’s Package Consumers displays all the applications that are using, or “consuming”, a specific package.
So, if you have a package that requires 4,000 dependent packages, Package Consumers will quickly and easily show you every package—along with your application’s name and version.
You’ll see which applications are being affected and be able to make relevant changes—not to mention, ProGet’s built-in vulnerability scanning will also help you spot any potentially vulnerable packages.
Now you can control those Python package dependency trees with ease and have extra time to do what matters.