Python dependency management is essential to the well-being of your projects. If your Python application relies on third-party libraries and frameworks to function, properly managing them can help you reap the rewards of security, sustainability, and consistency.
If you manage your direct dependencies and transitive dependencies well, you could produce a performant and quality application. It’s what you need to take your Python development efforts to the next level.
This article talks about how to manage Python dependencies. We’ll demonstrate how you can use the popular pip tool for managing dependencies in Python. We’ll also go over some alternatives in case pip does not meet your use case needs.
Getting Started With pip
pip (package installer for Python) is the default tool used for managing packages in Python. It comes preinstalled with Python version 2.7.9 (or later) and Python version 3.4 (or later). If you’re using an older Python version, you can follow the instructions for installing pip here.
If you’ve used package management tools in other languages, such as Node.js’ npm, pip is similar in spirit to those.
You can run the following command on your console to confirm that pip is available on your machine:
| pip –version |
Here is an example:
| PS C:\Users\User> pip –version pip 20.2.3 from c:\users\user\appdata\local\programs\python\python39\lib\site-packages\pip (python 3.9) |
As you can see above, the command outputs the pip version alongside the location and version of Python installed on your machine.
Installing Packages With pip
Python is generally considered as a battery included language; that is, it has a rich collection of packages and modules you can use to make a wide variety of tasks easy and fast.
Similarly, Python has a robust community of contributors that creates an even larger set of packages. These libraries, tools, and frameworks are primarily published on PyPI (Python Package Index). There are also other public and private sources for hosting Python packages.
You can use pip to easily download and install dependencies. By default, the tool downloads packages from PyPI.
Here is how to install a package:
| pip install <package_name> |
The above command searches for the latest version of the specified package and installs it. It also looks for dependencies available in the package metadata and installs them as well. This ensures that the package has all the requirements for functioning optimally.
If you want to install a specific package version for whatever reason, use the equality operator (==) and mention the version number to install:
| pip install <package_name>==<version_number> |
For example, let’s see how you can install the download module for easily downloading files from the web:
| pip install download |
If you want to install a specific version, run the following command:
| pip install download==0.3.2 |
Once it is installed, you can import and use it in your project:
Here is an example:
| from download import download path = download(add_url, add_file_path) |
Uninstalling Packages With pip
Before removing a package, it’s important to check its list of dependencies. If you remove a package that others are using, you may bring your application to its knees.
You can start by using the list command to list all the packages available on your system:
Here is an example:
| PS C:\Users\User> pip list Package Version ———— ——— certifi 2020.12.5 chardet 4.0.0 click 7.1.2 download 0.3.5 Flask 1.1.2 MarkupSafe 1.1.1 pip 20.2.3 |
Next, use the show command to get more information about an installed package, especially its list of dependencies.
Here is an example:
| PS C:\Users\User> pip show download Name: download Version: 0.3.5 Summary: A quick module to help downloading files using python. Home-page: https://github.com/choldgraf/download Author: None Author-email: None License: BSD (3-clause) Location: c:\users\user\appdata\local\programs\python\python39\lib\site-packages Requires: tqdm, requests, six Required-by: |
As you can see above, the last two fields, Requires and Required-by, give the package’s list of dependencies. In this case, the download package requires three other dependencies, but it’s not required by any other package. So, it’s safe to remove it.
After understanding the dependency order of your packages, and determining the ones safe to remove, you can use the uninstall command to uninstall them.
| pip uninstall <package_name> |
Here is an example:
| PS C:\Users\User> pip uninstall download Found existing installation: download 0.3.5 Uninstalling download-0.3.5: Would remove: c:\users\user\appdata\local\programs\python\python39\lib\site-packages\download-0.3.5.dist-info\* c:\users\user\appdata\local\programs\python\python39\lib\site-packages\download\* Proceed (y/n)? y Successfully uninstalled download-0.3.5 |
Notice that pip will ask you to confirm whether you want to uninstall the package. If you want to suppress the confirmation and the file list, just add the -y flag.
| pip uninstall <package_name> -y |
Here is an example:
| PS C:\Users\User> pip uninstall download -y Found existing installation: download 0.3.2 Uninstalling download-0.3.2: Successfully uninstalled download-0.3.2 |
If you want to uninstall several packages, you can specify their names in a single call:
| pip uninstall <package_name> <package_name> <package_name> |
Upgrading A Package
If you want to update to a newer package version, use the following command:
| pip install <package_name> –upgrade |
The above command will uninstall the old package version and install the latest version available.
Here is an example:
| PS C:\Users\User> pip install download –upgrade Collecting download Using cached download-0.3.5-py3-none-any.whl (8.8 kB) …. Installing collected packages: download Attempting uninstall: download Found existing installation: download 0.3.2 Uninstalling download-0.3.2: Successfully uninstalled download-0.3.2 Successfully installed download-0.3.5 |
Using A Requirements File
A requirements file allows you to define the packages and their specific versions required for running a project. By convention, the file is named requirements.txt, but you can provide any name you want.
Here is an example of a requirements.txt file:
| certifi>=2020.11.0 chardet==4.0.0 click>=6.5.0, <7.1 download==0.3.5 Flask>=1.1.0 |
As you can see above, you should define each package on its own line in the text file. You should also use logical operators to stipulate the specific version of the package.
With a requirements file, you can replicate the environment in another system without causing breakages. The file ensures that the specified package versions are installed just as they’re defined in the requirements file.
For example, the == operator tells pip that only the specific version can be installed while >= stipulates that an exact or greater version can be installed. In the case of the click package above, pip can install any version equal or greater than 6.5.0, but less than 7.1.
If you want to install the packages specified in the requirements file, run the pip install command while using the -r flag to denote the requirements file.
Here is the command:
| pip install -r requirements.txt |
The requirements file also allows you to update multiple packages at once. You can use the install command with the –upgrade flag to update all the packages listed on it.
Here is the command:
| pip install –upgrade -r requirements.txt |
You can also remove all the packages provided in a requirements file. Here is the command:
| pip uninstall -r requirements.txt -y |
Alternatives To pip
Although pip is a great tool for Python dependency management, there are other tools you can use to effectively manage packages.
Here are two tools you can consider if pip does not meet your use case:
- Pipenv—this is a higher-level tool that comes with several bells and whistles to make dependency management for common use cases smooth and fast. Whereas pip is usually appropriate for personal projects, Pipenv is mostly recommended for collaborative projects. A notable differentiating feature is that Pipenv uses Pipfile and Pipfile.lock, instead of requirements.txt, to ensure comfortable deterministic builds.
- Poetry—this option for dependency management lets you declare the libraries your project relies on so that it can install, uninstall, and update them for you. Like Pipenv, it makes Python package dependencies management simpler and straightforward. You can use it to manage your projects in a deterministic manner, build and package your projects using one command, and easily publish to PyPI. It uses the pyproject.toml file for orchestrating your project as well as its dependencies.
How Do You Detect Vulnerabilities In Projects?
Managing dependencies when building Python applications can ensure you have stable, predictable builds across different environments.
But how do you know if there are any security vulnerabilities in your Python dependencies?
Mend offers powerful free developer tools to help you automatically find and fix vulnerabilities in your open source dependencies. You can use the tools to get real-time vulnerability alerts, perform automatic dependency updates, and complete several other tasks.
The Mend security tools seamlessly integrate with your Python development environment. This way, you can focus on building your applications while Mend does the heavy lifting on your behalf.
With the security tools, you can be sure of shipping secure, performant, and stable Python applications. They enable you to consume open source software fearlessly and freely.
Contact us today to learn more about the tools.
