You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Working in an enterprise setting there are strict requirements ragarding deploying secure software. Reducing the attack surface by installing only essential packages is key. As of now, dash requires some packages to be installed in the runtime environment which are not needed to run the app at all or not in particular / newer python versions.
Describe the solution you'd like
Leverage PEP-518 which allows to remove setuptools as a runtime dependency and add it as a build time dependency.
importlib_metadata is sparsely used. Depending on the python version and features needed for this package, it is not required at all and can be replaced with importlib.metdata which is inlcuded in the python stanrdard lib (at least for >3.8). Require it only for older python versions. You can handle if the version from the standard-lib or the installed packages should be used by checking the python version when the packages are imported. Add e.g. importlib-metadata ; python_version < 3.9 to the respective requirements file.
I am pretty sure that the typing_extensions package is not needed for newer python versions (>=3.10). If you do not leverage runtime type checking you can make it optional. For newer python versions the types can be imported from the typing package. Additionally, you can leverage the typing.TYPE_CHECKING constant. Again, require it only for older python versions and check the python version before importing the package. Describe alternatives you've considered
No
The text was updated successfully, but these errors were encountered:
As this is an older library, the build system is legacy and work as is, setuptools barely adds any install time. While it be cool to change the build system, there has been efforts by the community to update it, that PR was maybe going a bit too far with all the file moving and there is now many conflict but it's a good start. Might be better extract the pyproject.toml changes without the file moving and make a new PR.
importlib-metadata is leftover from supporting Python versions from 3.6, we dropped that and I think it could be removed now, we'll gladly look at a PR for that.
typing_extensions is actually used extensively from the coming Dash 3.0, we have no plan of dropping Python version 3.8 support for the time being and need the accommodations it provides.
gvwilson
changed the title
[Feature Request] Improve Dependency Management
Improve Dependency Management by removing packages not needed at runtime
Nov 11, 2024
Dash runtime requirements inlcude some packages that are not needed at runtime.
See requirements/install.txt
Is your feature request related to a problem? Please describe.
Working in an enterprise setting there are strict requirements ragarding deploying secure software. Reducing the attack surface by installing only essential packages is key. As of now, dash requires some packages to be installed in the runtime environment which are not needed to run the app at all or not in particular / newer python versions.
Describe the solution you'd like
setuptools
as a runtime dependency and add it as a build time dependency.importlib_metadata
is sparsely used. Depending on the python version and features needed for this package, it is not required at all and can be replaced withimportlib.metdata
which is inlcuded in the python stanrdard lib (at least for >3.8). Require it only for older python versions. You can handle if the version from the standard-lib or the installed packages should be used by checking the python version when the packages are imported. Add e.g.importlib-metadata ; python_version < 3.9
to the respective requirements file.typing_extensions
package is not needed for newer python versions (>=3.10). If you do not leverage runtime type checking you can make it optional. For newer python versions the types can be imported from thetyping
package. Additionally, you can leverage thetyping.TYPE_CHECKING
constant. Again, require it only for older python versions and check the python version before importing the package.Describe alternatives you've considered
No
The text was updated successfully, but these errors were encountered: