- Notifications
You must be signed in to change notification settings - Fork0
A command line utility to display dependency tree of the installed Python packages
License
xiacunshun/pipdeptree
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
pipdeptree is a command line utility for displaying the installed python packages in form of a dependency tree. Itworks for packages installed globally on a machine as well as in a virtualenv. Sincepip freeze shows all dependenciesas a flat list, finding out which are the top level packages and which packages do they depend on requires some effort.It's also tedious to resolve conflicting dependencies that could have been installed because older version ofpipdidn't have true dependency resolution1.pipdeptree can help here by identifying conflicting dependenciesinstalled in the environment.
To some extent,pipdeptree is inspired by thelein deps :tree command ofLeiningen.
pip install pipdeptree
New in ver. 2.0.0
If you want to run pipdeptree in the context of a particular virtualenv, you can specify the--python option. Notethat this capability has been recently added in version2.0.0.
Alternatively, you may also install pipdeptree inside the virtualenv and then run it from there.
To give you a brief idea, here is the output ofpipdeptree compared withpip freeze:
$ pip freezeFlask==0.10.1itsdangerous==0.24Jinja2==2.11.2-e git+git@github.com:naiquevin/lookupy.git@cdbe30c160e1c29802df75e145ea4ad903c05386#egg=LookupyMarkupSafe==0.22pipdeptree @ file:///private/tmp/pipdeptree-2.0.0b1-py3-none-any.whlWerkzeug==0.11.2
And now see whatpipdeptree outputs,
$ pipdeptreeWarning!!! Possibly conflicting dependencies found:* Jinja2==2.11.2 - MarkupSafe [required:>=0.23, installed: 0.22]------------------------------------------------------------------------Flask==0.10.1 - itsdangerous [required:>=0.21, installed: 0.24] - Jinja2 [required:>=2.4, installed: 2.11.2] - MarkupSafe [required:>=0.23, installed: 0.22] - Werkzeug [required:>=0.7, installed: 0.11.2]Lookupy==0.1pipdeptree==2.0.0b1 - pip [required:>=6.0.0, installed: 20.1.1]setuptools==47.1.1wheel==0.34.2
New in ver. 0.5.0
Yes, there's a--reverse (or simply-r) flag for this. To find out which packages depend on a particularpackage(s), it can be combined with--packages option as follows:
$ pipdeptree --reverse --packages itsdangerous,MarkupSafeWarning!!! Possibly conflicting dependencies found:* Jinja2==2.11.2 - MarkupSafe [required:>=0.23, installed: 0.22]------------------------------------------------------------------------itsdangerous==0.24 - Flask==0.10.1 [requires: itsdangerous>=0.21]MarkupSafe==0.22 - Jinja2==2.11.2 [requires: MarkupSafe>=0.23] - Flask==0.10.1 [requires: Jinja2>=2.4]
As seen in the above output,pipdeptree by default warns about possible conflicting dependencies. Any package that'sspecified as a dependency of multiple packages with different versions is considered as a conflicting dependency.Conflicting dependencies are possible if older version of pip<=20.2(without the new resolver2) was ever used to install dependencies at somepoint. The warning is printed to stderr instead of stdout and it can be completely silenced by specifying the-w silence or--warn silence option. On the other hand, it can be made mode strict with--warn fail, in which casethe command will not only print the warnings to stderr but also exit with a non-zero status code. This is useful if youwant to fit this tool into your CI pipeline.
Note: The--warn option is added in version0.6.0. If you are using an older version, use--nowarn flag tosilence the warnings.
In case any of the packages have circular dependencies (eg. package A depends on package B and package B depends onpackage A), thenpipdeptree will print warnings about that as well.
$ pipdeptree --exclude pip,pipdeptree,setuptools,wheelWarning!!! Cyclic dependencies found:- CircularDependencyA => CircularDependencyB => CircularDependencyA- CircularDependencyB => CircularDependencyA => CircularDependencyB------------------------------------------------------------------------wsgiref==0.1.2argparse==1.2.1
Similar to the warnings about conflicting dependencies, these too are printed to stderr and can be controlled using the--warn option.
In the above example, you can also see--exclude option which is the opposite of--packages ie. these packages willbe excluded from the output.
If you wish to track only top level packages in yourrequirements.txt file, it's possible by grep-ing3. only thetop-level lines from the output,
$ pipdeptree --warn silence| grep -E'^\w+'Flask==0.10.1gnureadline==8.0.0Lookupy==0.1pipdeptree==2.0.0b1setuptools==47.1.1wheel==0.34.2
There is a problem here though - The output doesn't mention anything aboutLookupy being installed as aneditablepackage (refer to the output ofpip freeze above) and information about its source is lost. To fix this,pipdeptreemust be run with a-f or--freeze flag.
$ pipdeptree -f --warn silence| grep -E'^[a-zA-Z0-9\-]+'Flask==0.10.1gnureadline==8.0.0-e git+git@github.com:naiquevin/lookupy.git@cdbe30c160e1c29802df75e145ea4ad903c05386#egg=Lookupypipdeptree @ file:///private/tmp/pipdeptree-2.0.0b1-py3-none-any.whlsetuptools==47.1.1wheel==0.34.2$ pipdeptree -f --warn silence| grep -E'^[a-zA-Z0-9\-]+'> requirements.txt
The freeze flag will not prefix child dependencies with hyphens, so you could dump the entire output ofpipdeptree -fto the requirements.txt file thus making it human-friendly (due to indentations) as well as pip-friendly.
$ pipdeptree -f| tee locked-requirements.txtFlask==0.10.1 itsdangerous==0.24 Jinja2==2.11.2 MarkupSafe==0.23 Werkzeug==0.11.2gnureadline==8.0.0-e git+git@github.com:naiquevin/lookupy.git@cdbe30c160e1c29802df75e145ea4ad903c05386#egg=Lookupypipdeptree @ file:///private/tmp/pipdeptree-2.0.0b1-py3-none-any.whl pip==20.1.1setuptools==47.1.1wheel==0.34.2On confirming that there are no conflicting dependencies, you can even treat this as a "lock file" where all packages,including the transient dependencies will be pinned to their currently installed versions. Note that thelocked-requirements.txt file could end up with duplicate entries. Althoughpip install wouldn't complain aboutthat, you can avoid duplicate lines (at the cost of losing indentation) as follows,
$ pipdeptree -f| sed's/ //g'| sort -u> locked-requirements.txt
New in ver. 0.5.0
It's also possible to havepipdeptree output json representation of the dependency tree so that it may be used asinput to other external tools.
$ pipdeptree --json
Note that--json will output a flat list of all packages with their immediate dependencies. This is not very useful initself. To obtain nested json, use--json-tree
New in ver. 0.11.0
$ pipdeptree --json-tree
The dependency graph can also be visualized usingGraphViz:
$ pipdeptree --graph-output dot> dependencies.dot$ pipdeptree --graph-output pdf> dependencies.pdf$ pipdeptree --graph-output png> dependencies.png$ pipdeptree --graph-output svg> dependencies.svg
Note thatgraphviz is an optional dependency ie. required only if you want to use--graph-output. If the version ofgraphviz installed in the env is older than 0.18.1, then a warning will be displayed about upgradinggraphviz.Support for older versions of graphviz will be dropped soon.
Since version2.0.0b1,--package and--reverse flags are supported for all output formats ie. text, json,json-tree and graph.
In earlier versions,--json,--json-tree and--graph-output options override--package and--reverse.
% pipdeptree --helpusage: pipdeptree [-h] [-v] [-w [{silence,suppress,fail}]] [--python PYTHON] [-p P] [-e P] [-a] [-l|-u] [-f] [--encoding E] [-d D] [-r] [--license] [-j| --json-tree| --mermaid| --graph-output FMT]Dependency tree of the installed python packagesoptions:-h, --help show thishelp message andexit -v, --version show program's version number and exit -w [{silence,suppress,fail}], --warn [{silence,suppress,fail}] warning control: suppress will show warnings but return 0 whether or not they are present; silence will not show warnings at all and always return 0; fail will show warnings and return 1 if any are present (default: suppress)select: choose what to render --python PYTHON Python interpreter to inspect (default: /usr/local/bin/python) -p P, --packages P comma separated list of packages to show - wildcards are supported, like'somepackage.*' (default: None) -e P, --exclude P comma separated list of packages to not show - wildcards are supported, like'somepackage.*'. (cannot combine with -p or -a) (default: None) -a, --all list all deps at top level (default: False) -l, --local-only if in a virtualenv that has global access do not show globally installed packages (default: False) -u, --user-only only show installations in the user site dir (default: False)render: choose how to render the dependency tree (by default will use text mode) -f, --freeze print names so as to write freeze files (default: False) --encoding E the encoding to use when writing to the output (default: utf-8) -d D, --depth D limit the depth of the tree (text render only) (default: inf) -r, --reverse render the dependency tree in the reverse fashion ie. the sub-dependencies are listed with the list of packages that need them under them (default: False) --license list the license(s) of a package (text render only) (default: False) -j, --json raw JSON - this will yield output that may be used by external tools (default: False) --json-tree nested JSON - mimics the text format layout (default: False) --mermaid https://mermaid.js.org flow diagram (default: False) --graph-output FMT Graphviz rendering with the value being the graphviz output e.g.: dot, jpeg, pdf, png, svg (default: None)pipdeptreerelies on the internal API ofpip. I fully understand that it's a bad idea but it mostly works! Onrare occasions, it breaks when a new version ofpipis out with backward incompatible changes in internal API. Sobeware if you are using this tool in environments in whichpipversion is unpinned, specially automation or CD/CIpipelines.
pipdeptree merely looks at the installed packages in the current environment using pip, constructs the tree, thenoutputs it in the specified format. If you want to generate the dependency tree without installing the packages, thenyou need a dependency resolver. You might want to check alternatives such aspipgrip orpoetry.
MIT (SeeLICENSE)
Footnotes
pip version 20.3 has been released in Nov 2020 with the dependency resolver<https://blog.python.org/2020/11/pip-20-3-release-new-resolver.html>_↩
pip version 20.3 has been released in Nov 2020 with the dependency resolver<https://blog.python.org/2020/11/pip-20-3-release-new-resolver.html>_↩
If you are on windows (powershell) you can run
pipdeptree --warn silence | Select-String -Pattern '^\w+'insteadof grep↩