Dependency management tools for Python
Managing dependencies is important to the health of your Python project. A project with properly managed dependencies reaps rewards in terms of predictability, sustainability, and security. Well managed dependencies ensure predictable behavior across local, development, and production environments. If your dependencies are well managed, you won’t find yourself on the wrong end of a long-term support timeline or have dependencies that are out of step with one another. Proper dependency management also includes knowing all the packages you are using (whether directly or indirectly), understanding any security issues, and taking the appropriate steps to fix problems.
Dependency management can be hard to do well, and there are a number of options for how to approach this issue for your Python project. We will discuss some of your options here, with the goal of making dependency management as straightforward as possible.
What are my options for dependency management in Python?
The venv module is part of the Python standard library starting in version 3.3. If you have Python 3.3 or higher on your machine, you have venv. Venv is used to create virtual environments, which include their own Python installation, equivalent to the version you used to instantiate the environment. To learn more about how to use venv to create an environment, activate it, and install packages into it, see the official Python documentation. Venv is easy to use, lightweight, and a great choice for many Python projects.
Virtualenv is a third party library that creates virtual environments and can be used for older versions of Python. Many developers moved to `venv` after it was included as part of the standard library in Python 3.3. Python 2.7 was sunsetted at the beginning of 2020, and we do not recommend its use. However, if you have a project that uses Python 2.7, you can create virtual environments using virtualenv. There are also features that are present in virtualenv that are not available in venv, so there are Pythonistas who use virtualenv for their Python 3 projects as well. These features include things like: being upgradeable through pip, speed improvements, and their rich API. As of this writing, virtualenv is actively maintained, with its most recent release dating to April 2020. It may be a project many associate with Python 2.7, but it is alive and well and compatible with Python 3.
Pipenv is an option for dependency management that has some bells and whistles. Its most obvious differentiator is that it utilizes a lock file to ensure deterministic builds. However, there are some advanced features including some specifying a package index, detection of security vulnerabilities, easily handling environment variables, and playing nicely with Windows. As of this writing, Pipenv’s most recent release dates to late 2018. Because Pipenv has not been updated for a year and a half, some Pythonistas may be hesitant to use it. I think the tool is easy to use, but I might hesitate to use it for a project that I expect to be hacking on long term.
Poetry is a tool for dependency management and packaging in Python. Like Pipenv, Poetry utilizes a lock file system for deterministic builds. Poetry always ensures that you are using a virtual environment, so you won’t mess up global installs. You can declare your dependencies through the command line, or by editing your pyproject.toml file. Poetry makes it easy to specify version constraints, which is awesome for avoiding versions with known security vulnerabilities. As of this writing, Poetry is actively maintained, with its most recent release dating to February 2020, and a pre-release from March 2020.
Pip-tools is an open source set of tools that help keep your pip-based packages up to date, even when they have been pinned. (Pinning helps ensure deterministic builds). Pip-tools consists of two separate commands `pip-compile` and `pip-sync`. The `pip-compile` command creates your `requirements.txt` file and the `pip-sync` command predictably installs things in line with your `requirements.txt` file. As of this writing, Pip-tools is actively maintained, with its most recent release dating to February 2020.
Hatch is an open source productivity tool that helps you not only manage your dependencies but also includes features for testing and more. It also includes tools for interacting with PyPI, so it is great for open source maintainers. As of this writing, Hatch appears to be actively maintained. Its most recent release dates to October 2019. Some of the other options on this list have more recent updates, but this is probably a safe choice from a maintenance standpoint.
How do I know if there are security vulnerabilities in the projects I am using?
The tools in the previous section will help ensure that your dependencies are installed, up-to-date, and isolated from other versions you may have installed for other projects. These tools help you have predictable, stable builds across environments.
When you are considering your dependencies, the above considerations are very important, but they are not the only concern. You will also want to know about any security vulnerabilities that are present in your dependencies and you’ll want to fix them. Pipenv has some functionality around known security vulnerabilities. Regardless of which dependency management tool you choose, Snyk can help you find and fix vulnerabilities in your Python project’s dependencies. You can even open a fix pr directly from our dashboard. Best of all, Snyk is free for open source and public projects. Our free tier includes 200 scans per month for private repositories. It is easier than ever to use open source and stay secure.