stackoom
  简体   繁体   中英

How to impose constraints on sub-dependencies in setuptools?

 原文  2022-12-13 11:39:43       python/ dependencies/ setuptools

Question

Background

Suppose my package depends on the foo package, and foo , in turn, depends on the bar package, specifically bar>=1.0.0 .

In other words, bar is a sub-dependency for my package.

Following best practice , my pyproject.toml (or setup.cfg ) specifies only direct dependencies, no sub-dependencies. For example:

[project]
# ...
dependencies = [
    "foo>=2.0",
]

Problem

Now suppose bar version 1.0.1 has been released in order to patch a security vulnerability, but foo has not picked up on this yet (it still uses bar>=1.0.0 ).

Instead of waiting for foo to catch up, I want to make sure my package enforces the use of bar>=1.0.1 .

Current solution

The obvious solution would be to add a constraint to my pyproject.toml as follows:

[project]
# ...
dependencies = [
    "foo>=2.0",
    # constraint for sub-dependency
    "bar>=1.0.1",
]

This works, but now it looks like my project depends directly on bar , whereas bar is only a sub-dependency: I don't import anything directly from bar , and if foo ever decides not to use bar anymore, I won't need it either.

Question

Is there a better way to specify a constraint for a sub-dependency using setuptools ?

1 answers

solution1
 1  2022-12-13 12:46:28

Unless I'm missing something: no. Not using setuptools .

Your package is going to be built into a binary distribution ( wheel , a .whl file). After that point, setuptools is no longer in the picture, and the package metadata needs to follow Core metadata specifications , which do not have any facility for specifying constraints.

pip has a relevant option for this: 

  -c, --constraint <file>     Constrain versions using the given constraints
                              file. This option can be used multiple times.

You can read more about constrain files in pip documentation .

There's also an argument to be made about what counts as a dependency for a package. If people depend on X to be secure, and X depends (transitively) on Y to be secure, then you could argue in a hand-wavy way that this has to be taken into account inside the dependencies list, even though there's no coupling in the code.

The counterpoint is that this exposes packages that depend on both X and Y to a dependency hell. Further, there's no safety hatch in case Y stops being necessary for your direct dependencies.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to impose constraints based on previous solution in PuLP? How setuptools deals with transitive dependencies? pip - installation of sub-dependencies overrides other packages on requirements.txt How to specify dependencies using setuptools? Python lmfit impose subtle constraints Setuptools platform specific dependencies Build dependencies automatically with setuptools How to package multiple single modules as sub-package with python setuptools Dependencies auto discovery for Python setuptools? How does setuptools installs test dependencies on python setup.py test command
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM