Zen of Python Dependency Management

Dependency resolution via pyproject.toml — replacing setup.py, requirements.txt, and MANIFEST.ini

Justin Mayer

Deployment/Continuous Integration and Delivery Open-Source Packaging PyPi

Ensuring reliably repeatable dependency installation has long been an unsolved problem for many Python projects. Pinning dependencies via setup.py and requirements.txt has historically been met with extra work and unexpected results, particularly when managing the dependencies of dependencies.

Thanks to PEP 518, Python projects can now more easily manage dependencies via the new pyproject.toml file specification. In its wake, a number of useful tools have arisen that use this file to provide enhanced dependency resolution, including Poetry, Hatch, and Pipenv.

Attendees of this talk will take home the following knowledge and skills:

* how to replace three files (setup.py, requirements.txt, and MANIFEST.ini) with just one: pyproject.toml
* why dependency resolution is hard and why it matters
* how Poetry, Hatch, and Pipenv differ and when to use each
* why one might use a less magical alternative: pip-tools
* how to use pipx to isolate system-wide Python tools

Type: Talk (30 mins); Python level: Beginner; Domain level: Beginner

Justin Mayer


Justin Mayer is a serial entrepreneur, active open-source contributor, and advocate for stronger security and privacy. His latest project is Fortressa.com, which enables anyone to create their own private, self-contained VPN. He also maintains the Pelican static site generator as well as a number of other Python and Django-related projects.

Justin speaks fluent Japanese, graduated with honors from the University of California, Berkeley, and received his M.B.A. from the Wharton School of Business. He writes about security and privacy on the web at justinmayer.com and via @JMayer on Twitter.