How to extract dependencies from a PyPi package without downloading it?

As jinghli notes, there isn’t currently a reliable way to get the dependency of an arbitrary PyPi package remotely without needing to download it completely. And in fact the dependencies sometimes depend on your environment, so an approach like Brian’s of executing setup.py code is needed in the general case.

The way the Python ecosystem handles dependencies started evolving in the 1990’s before the problem was well understood. PEP 508 — Dependency specification for Python Software Packages sets us on course to improve the situtation, and an “aspirational” draft approach in PEP 426 — Metadata for Python Software Packages 2.0 may improve it more in the future, in conjunction with the reimplementation of PyPI as Warehouse.

The current situation is described well in the document Python Dependency Resolution.

PyPI does provide a json interface to download metadata for each package. The info.requires_dist object contains a list of names of required packages with optional version restrictions etc. It is often missing, but it is one place to start.

E.g. Django (json) indicates:


{
"info": {
...
"requires_dist": [
"bcrypt; extra == 'bcrypt'",
"argon2-cffi (>=16.1.0); extra == 'argon2'",
"pytz"
],
...
}

Leave a Comment

tech