Skip to content

Instantly share code, notes, and snippets.

@antichris
Last active September 1, 2022 10:56
Show Gist options
  • Save antichris/ed46684e18fac987088797a7ef320843 to your computer and use it in GitHub Desktop.
Save antichris/ed46684e18fac987088797a7ef320843 to your computer and use it in GitHub Desktop.
Why Python dependency management sucks

Why Python dependency management sucks

Lack of a comprehensive official standard tool. "Comprehensive" being the key word here.

  • virtualenv
  • venv
  • pipenv
  • poetry
  • pdm
  • (ana)conda
  • mamba
  • pyenv

Some of those can only maintain package dependencies, some manage Python runtime and standard library versions, some try to do both. All of them can run into version conflicts at any time.

Tools for other languages

Others have done a vastly superior job to solve this. Here are my personal favorites.

deno for TypeScript

Use deps.ts to list all dependencies of your module. Use dev_deps.ts to list the dependencies that are specific to the development environment (e.g. testing tools).

You can also use the --import-map CLI flag or importMap option in a config file (deno.json by default) to specify an import map (e.g. imports.json) and alias the versioned dependency paths (URLs) to more wieldy module names.

Specify exact version numbers to get the exact versions. Use deno cache to download the (recursive) dependencies to a centralized local storage.

Every module is completely isolated from any other module dependency-wise: e.g., if your module requires foo@1 and bar@2, but foo@1 depends on bar@1, it does not affect your module in any way. Every unique dependency is cached globally once and reused as required by modules.

Builds are guaranteed to be reproducible.

It is even possible to simultaneously use multiple different versions of a dependency in the same module, given that each is aliased to a different identifier.

go mod for Go

Use the built-in automated tools (e.g. go get, go install, go mod) to maintain go.mod of your module, or do it manually.

Go will resolve the dependencies of your module to the lowest common denominator semantic version, and cache to a centralized local storage. New releases do not affect your builds, unless you explicitly update a dependency to a newer version.

Builds are guaranteed to be reproducible.

Very large (read, humongous) projects run a slight risk of a major-version conflict among transitive dependencies, which may require downgrading a direct dependency to an inferior version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment