3

In packaging a Python application using setuptools, I am populating the install_requires list with all the PyPI dependencies of my application. I find myself manually combing through all my sources to find these. Is this the right way to do it? Or can this list be auto-populated somehow?

sinoroc
  • 18,409
  • 2
  • 39
  • 70
rishai
  • 495
  • 3
  • 15
  • 2
    You should only list the direct dependencies in `install_requires` (not the indirect ones, the dependencies of your dependencies), so this should be a relatively short list and you probably should curate this list by hand. There are probably ways to automate this of course, I think I have seen such tools before, but I don't see the point really, so I haven't used them and can't recall their names. – sinoroc Apr 09 '20 at 21:24
  • 1
    Hi Sinoroc, good to know I'm doing it right, but - curious - why should this list be curated by hand instead of automated? I found myself missing direct dependencies initially because I missed looking at a source file. – rishai Apr 09 '20 at 22:48
  • 1
    Thinking about it again, it would be nice to have a tool that could analyze the code of the current project and tell you which of the libraries installed in the environment are direct dependencies of the current project. It could be helpful indeed. So far I have always done it by hand, I use [_tox_](https://pypi.org/project/tox/), which would probably tell me if I missed one direct dependency, but wouldn't say anything if have one unnecessary library in `install_requires`. – sinoroc Apr 10 '20 at 07:00
  • 1
    Missing in my previous comment: I combine _tox_ with a _linting_ tool such as [_pylint_](https://pypi.org/project/pylint/) to get notified if some _imports_ can't be resolved, which means that some library is missing in `install_requires`. – sinoroc Apr 10 '20 at 07:08
  • 1
    Maybe have a look at [pipreqs](https://pypi.org/project/pipreqs/), seen here: https://stackoverflow.com/a/31684470/11138259 – sinoroc Apr 13 '20 at 12:12
  • @sinoroc Looks useful! It has the added benefit of specifying the versions being used as well. – rishai Apr 14 '20 at 01:17

1 Answers1

1

From my point of view install_requires should only list the direct dependencies of your project (not the indirect ones, the dependencies of your dependencies). So it often is a relatively short list, that can probably should be curated by hand, the same way you carefully hand-picked your libraries to begin with.

In common scenarios, using tox in combination with a linting tool such as pylint would let you know if some imports can't be resolved, which most likely means that libraries are missing from install_requires.

In the case you already have lots of dependencies but lost track of which ones and didn't keep install_requires up to date, then I believe a tool such as pipreqs or pigar can help (there are probably other similar tools, but that's the ones I stumbled upon while browsing the following similar questions: 1, 2).

sinoroc
  • 18,409
  • 2
  • 39
  • 70