Python package management and deprecated packages
I have a python project where I manage project dependencies using requirements.txt. All packages have locked versions and I am periodically doing manual update to the latest versions. Recently I did something new - instead of the usual flow where I am just removing "==<version>" from all/some packages to see which versions will be installed I delete all content from requirements.txt and tried to run app over and over again to see which "Module not found ..." errors I will get and insert packages which solving this error to get to next error. This flow allowed me to identify that the `msrestazure` package which I had in my requirements.txt is actually deprecated and that I need to use `msrest` instead . Basically this problem can happen with ANY dependency in the project and the way to find this out is pretty expensive. While searching for a faster solution I found `pipreqs` which helps a bit but unfortunately after generating requirements.txt using pipreqs I still needed to do around 10 iterations to cover some runtime dependencies which pipreqs was not able to identify. Q : Is there any tool which can automatically solve such a problem ? P.S. I would expect suggestions to switch to Poetry or maybe some other package management . I am totally fine with this if you know that such scenario which I described here would allow me more easily identify that `msrestazure` is deprecated
Hi, On Wed, Oct 30, 2024 at 5:27 PM Dirk Müller <dmueller@suse.com> wrote:
I was using pip-upgrader in the past for that. but there is also "pip list --outdated", which lists packages installed in your venv that are not the latest version.
The problem which I raised has nothing to do with outdated packages . It is about **deprecated** packages. https://pypi.org/project/msrestazure/ has disclaimer : `*This package is deprecated and no longer receives updates*`. So if you will install it today you will obviously get the latest version available so from POV of "pip list --outdated" this package is fine , but in fact it is even worse than just an outdated package . This one will stay in the same version FOREVER and if such a package has some requirement let's say `requests <= X` it will block your requests from being updated and so on and on ... Accidently I discovered this deprecation disclaimer by reading it with my own eyes in https://pypi.org/project/msrestazure/ page , but what to do if your project has dozens dependencies and each one can become **deprecated** ( NOT outdated ) at any point of time and when you just solving the problem "I want all packages to have latest versions available " you will never notice this because you would truly have latest version available. -- Best regards, Anton Smorodskyi SUSE Software Solutions Germany GmbH Frankenstr. 146 90461 Nuernberg Germany www.suse.comGeschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
Hi Anton, Am Do., 31. Okt. 2024 um 14:45 Uhr schrieb Anton Smorodskyi <anton.smorodskyi@suse.com>:
version available so from POV of "pip list --outdated" this package is fine , but in fact it is even worse than just an outdated package . This one will stay in the same version FOREVER and if such a package has some requirement let's say `requests <= X` it will block your requests from being updated and so on and on ...
Okay, you can use snyk for this - https://snyk.io/advisor/check/python or the command line tooling. I have a script that scrapes https://snyk.io/advisor/python/msrestazure which would have told you the project is inactive. I'm not aware of a good command line tool that does that out of the box however. Greetings, Dirk
participants (3)
-
Anton Smorodskyi -
Anton Smorodskyi -
Dirk Müller