1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
pipdeptree
==========
.. image:: https://travis-ci.org/naiquevin/pipdeptree.svg?branch=master
:target: https://travis-ci.org/naiquevin/pipdeptree
``pipdeptree`` is a command line utility for displaying the installed
python packages in form of a dependency tree. It works for packages
installed globally on a machine as well as in a virtualenv. Since
``pip freeze`` shows all dependencies as a flat list, finding out
which are the top level packages and which packages do they depend on
requires some effort. It can also be tedious to resolve conflicting
dependencies because ``pip`` doesn't yet have true dependency
resolution (more on this later). This utility tries to solve this
problem.
To some extent, this tool is inspired by ``lein deps :tree`` command
of `Leiningen <http://leiningen.org/>`_.
Installation
------------
.. code-block:: bash
$ pip install pipdeptree
This will install the latest version of ``pipdeptree`` which requires
at least Python 2.7. Prior to version ``0.10.0``, Python 2.6 was also
supported, so in case you are still stuck with 2.6, please install
``0.9.0``.
Usage and examples
------------------
To give you a brief idea, here is the output of ``pipdeptree``
compared with ``pip freeze``:
.. code-block:: bash
$ pip freeze
Flask==0.10.1
Flask-Script==0.6.6
Jinja2==2.7.2
-e git+git@github.com:naiquevin/lookupy.git@cdbe30c160e1c29802df75e145ea4ad903c05386#egg=Lookupy-master
Mako==0.9.1
MarkupSafe==0.18
SQLAlchemy==0.9.1
Werkzeug==0.9.4
alembic==0.6.2
argparse==1.2.1
ipython==2.0.0
itsdangerous==0.23
psycopg2==2.5.2
redis==2.9.1
slugify==0.0.1
wsgiref==0.1.2
And now see what ``pipdeptree`` outputs,
.. code-block:: bash
$ pipdeptree
Warning!!! Possible conflicting dependencies found:
* Mako==0.9.1 -> MarkupSafe [required: >=0.9.2, installed: 0.18]
Jinja2==2.7.2 -> MarkupSafe [installed: 0.18]
------------------------------------------------------------------------
Lookupy==0.1
wsgiref==0.1.2
argparse==1.2.1
psycopg2==2.5.2
Flask-Script==0.6.6
- Flask [installed: 0.10.1]
- Werkzeug [required: >=0.7, installed: 0.9.4]
- Jinja2 [required: >=2.4, installed: 2.7.2]
- MarkupSafe [installed: 0.18]
- itsdangerous [required: >=0.21, installed: 0.23]
alembic==0.6.2
- SQLAlchemy [required: >=0.7.3, installed: 0.9.1]
- Mako [installed: 0.9.1]
- MarkupSafe [required: >=0.9.2, installed: 0.18]
ipython==2.0.0
slugify==0.0.1
redis==2.9.1
Is it possible to find out why a particular package is installed?
-----------------------------------------------------------------
`New in ver. 0.5.0`
Yes, there's a `--reverse` (or simply `-r`) flag for this. To find out
what all packages require paricular package(s), it can be combined
with `--packages` flag as follows:
.. code-block:: bash
$ pipdeptree --reverse --packages itsdangerous,gnureadline
gnureadline==6.3.3
- ipython==2.0.0 [requires: gnureadline]
itsdangerous==0.24
- Flask==0.10.1 [requires: itsdangerous>=0.21]
- Flask-Script==0.6.6 [requires: Flask]
What's with the warning about conflicting dependencies?
-------------------------------------------------------
As seen in the above output, ``pipdeptree`` by default warns about
possible conflicting dependencies. Any package that's specified as a
dependency of multiple packages with a different version is considered
as a possible conflicting dependency. This is helpful because ``pip``
`doesn't have true dependency resolution
<https://github.com/pypa/pip/issues/988>`_ yet. The warning is printed
to stderr instead of stdout and it can be completely silenced by using
the ``-w silence`` or ``--warn silence`` flag. On the other hand, it
can be made mode strict with ``--warn fail`` in which case the command
will not only print the warnings to stderr but also exit with a
non-zero status code. This could be useful if you want to fit this
tool into your CI pipeline.
**Note** The ``--warn`` flag was added in version 0.6.0. If you are
using an older version, use ``--nowarn`` flag.
Warnings about circular dependencies
------------------------------------
In case any of the packages have circular dependencies (eg. package A
depending upon package B and package B depending upon package A), then
``pipdeptree`` will print warnings about that as well.
.. code-block:: bash
$ pipdeptree
Warning!!! Cyclic dependencies found:
- CircularDependencyA => CircularDependencyB => CircularDependencyA
- CircularDependencyB => CircularDependencyA => CircularDependencyB
------------------------------------------------------------------------
wsgiref==0.1.2
argparse==1.2.1
As with the conflicting dependencies warnings, these are printed to
stderr and can be controlled using the ``--warn`` flag.
Using pipdeptree to write requirements.txt file
-----------------------------------------------
If you wish to track only the top level packages in your
``requirements.txt`` file, it's possible to do so using ``pipdeptree``
by grep-ing only the top-level lines from the output,
.. code-block:: bash
$ pipdeptree | grep -P '^\w+'
Lookupy==0.1
wsgiref==0.1.2
argparse==1.2.1
psycopg2==2.5.2
Flask-Script==0.6.6
alembic==0.6.2
ipython==2.0.0
slugify==0.0.1
redis==2.9.1
There is a problem here though. The output doesn't mention anything
about ``Lookupy`` being installed as an editable package (refer to the
output of ``pip freeze`` above) and information about its source is
lost. To fix this, ``pipdeptree`` must be run with a ``-f`` or
``--freeze`` flag.
.. code-block:: bash
$ pipdeptree -f --warn silence | grep -P '^[\w0-9\-=.]+'
-e git+git@github.com:naiquevin/lookupy.git@cdbe30c160e1c29802df75e145ea4ad903c05386#egg=Lookupy-master
wsgiref==0.1.2
argparse==1.2.1
psycopg2==2.5.2
Flask-Script==0.6.6
alembic==0.6.2
ipython==2.0.0
slugify==0.0.1
redis==2.9.1
$ pipdeptree -f --warn silence | grep -P '^[\w0-9\-=.]+' > requirements.txt
The freeze flag will also not output the hyphens for child
dependencies, so you could dump the complete output of ``pipdeptree
-f`` to the requirements.txt file making the file human-friendly (due
to indentations) as well as pip-friendly. (Take care of duplicate
dependencies though)
Using pipdeptree with external tools
------------------------------------
`New in ver. 0.5.0`
It's also possible to have pipdeptree output json representation of
the dependency tree so that it may be used as input to other external
tools.
.. code-block:: bash
$ pipdeptree --json
Note that ``--json`` will output a flat list of all packages with
their immediate dependencies. To obtain nested json, use
``--json-tree`` (added in version ``0.11.0``).
.. code-block:: bash
$ pipdeptree --json-tree
The dependency graph can be layed out as any of the formats supported by
`GraphViz <http://www.graphviz.org/>`_:
.. code-block:: bash
$ pipdeptree --graph-output dot > dependencies.dot
$ pipdeptree --graph-output pdf > dependencies.pdf
$ pipdeptree --graph-output png > dependencies.png
$ pipdeptree --graph-output svg > dependencies.svg
Note that ``graphviz`` is an optional dependency ie. required only if
you want to use ``--graph-output``.
Also note that ``--json``, ``--json-tree`` and ``--graph-output``
options always override ``--package`` and ``--reverse``.
Usage
-----
.. code-block:: bash
usage: pipdeptree.py [-h] [-v] [-f] [-a] [-l] [-u]
[-w [{silence,suppress,fail}]] [-r] [-p PACKAGES] [-j]
[--json-tree] [--graph-output OUTPUT_FORMAT]
Dependency tree of the installed python packages
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-f, --freeze Print names so as to write freeze files
-a, --all list all deps at top level
-l, --local-only If in a virtualenv that has global access do not show
globally installed packages
-u, --user-only Only show installations in the user site dir
-w [{silence,suppress,fail}], --warn [{silence,suppress,fail}]
Warning control. "suppress" will show warnings but
return 0 whether or not they are present. "silence"
will not show warnings at all and always return 0.
"fail" will show warnings and return 1 if any are
present. The default is "suppress".
-r, --reverse Shows the dependency tree in the reverse fashion ie.
the sub-dependencies are listed with the list of
packages that need them under them.
-p PACKAGES, --packages PACKAGES
Comma separated list of select packages to show in the
output. If set, --all will be ignored.
-e PACKAGES, --exclude PACKAGES
Comma separated list of select packages to exclude from
the output. If set, --all will be ignored.
-j, --json Display dependency tree as json. This will yield "raw"
output that may be used by external tools. This option
overrides all other options.
--json-tree Display dependency tree as json which is nested the
same way as the plain text output printed by default.
This option overrides all other options (except
--json).
--graph-output OUTPUT_FORMAT
Print a dependency graph in the specified output
format. Available are all formats supported by
GraphViz, e.g.: dot, jpeg, pdf, png, svg
Known Issues
------------
* To work with packages installed inside a virtualenv, pipdeptree also
needs to be installed in the same virtualenv even if it's already
installed globally.
* One thing you might have noticed already is that ``flask`` is shown
as a dependency of ``flask-script``, which although correct, sounds
a bit odd. ``flask-script`` is being used here *because* we are
using ``flask`` and not the other way around. Same with
``sqlalchemy`` and ``alembic``. I haven't yet thought about a
possible solution to this! (May be if libs that are "extensions"
could be distinguished from the ones that are
"dependencies". Suggestions are welcome.)
Runnings Tests (for contributors)
---------------------------------
Tests can be run against all version of python using `tox
<http://tox.readthedocs.org/en/latest/>`_ as follows:
.. code-block:: bash
$ make test-tox
This assumes that you have python versions 2.7, 3.3 and 3.4, 3.5, 3.6
installed on your machine. (See more: tox.ini)
Or if you don't want to install all the versions of python but want to
run tests quickly against Python2.7 only:
.. code-block:: bash
$ make test
Tests require some virtualenvs to be created, so another assumption is
that you have ``virtualenv`` installed.
Before pushing the code or sending pull requests it's recommended to
run ``make test-tox`` once so that tests are run on all environments.
(See more: Makefile)
Release checklist
-----------------
* Make sure that tests pass on TravisCI.
* Create a commit with following changes and push it to github
- Update the `__version__` in the `pipdeptree.py` file.
- Add Changelog in `CHANGES.md` file.
- Also update `README.md` if required.
* Create an annotated tag on the above commit and push the tag to
github
* Upload new version to PyPI.
License
-------
MIT (See `LICENSE <./LICENSE>`_)
|
