Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Dependency Management by removing packages not needed at runtime #3062

Open
waldemarmeier opened this issue Nov 6, 2024 · 1 comment
Labels
feature something new P2 considered for next cycle

Comments

@waldemarmeier
Copy link

Dash runtime requirements inlcude some packages that are not needed at runtime.

See requirements/install.txt

Is your feature request related to a problem? Please describe.
Working in an enterprise setting there are strict requirements ragarding deploying secure software. Reducing the attack surface by installing only essential packages is key. As of now, dash requires some packages to be installed in the runtime environment which are not needed to run the app at all or not in particular / newer python versions.

Describe the solution you'd like

  1. Leverage PEP-518 which allows to remove setuptools as a runtime dependency and add it as a build time dependency.
  2. importlib_metadata is sparsely used. Depending on the python version and features needed for this package, it is not required at all and can be replaced with importlib.metdata which is inlcuded in the python stanrdard lib (at least for >3.8). Require it only for older python versions. You can handle if the version from the standard-lib or the installed packages should be used by checking the python version when the packages are imported. Add e.g. importlib-metadata ; python_version < 3.9 to the respective requirements file.
import sys

if sys.version_info >= (3, 8):
    from importlib.metadata import ...
else:
    from importlib_metadata import ...
  1. I am pretty sure that the typing_extensions package is not needed for newer python versions (>=3.10). If you do not leverage runtime type checking you can make it optional. For newer python versions the types can be imported from the typing package. Additionally, you can leverage the typing.TYPE_CHECKING constant. Again, require it only for older python versions and check the python version before importing the package.
    Describe alternatives you've considered
    No
@T4rk1n
Copy link
Contributor

T4rk1n commented Nov 6, 2024

  1. As this is an older library, the build system is legacy and work as is, setuptools barely adds any install time. While it be cool to change the build system, there has been efforts by the community to update it, that PR was maybe going a bit too far with all the file moving and there is now many conflict but it's a good start. Might be better extract the pyproject.toml changes without the file moving and make a new PR.
  2. importlib-metadata is leftover from supporting Python versions from 3.6, we dropped that and I think it could be removed now, we'll gladly look at a PR for that.
  3. typing_extensions is actually used extensively from the coming Dash 3.0, we have no plan of dropping Python version 3.8 support for the time being and need the accommodations it provides.

@gvwilson gvwilson changed the title [Feature Request] Improve Dependency Management Improve Dependency Management by removing packages not needed at runtime Nov 11, 2024
@gvwilson gvwilson added feature something new P2 considered for next cycle labels Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature something new P2 considered for next cycle
Projects
None yet
Development

No branches or pull requests

3 participants