等价于`pip`的`package.json'和`package-lock.json` [英] Equivalent of `package.json' and `package-lock.json` for `pip`
问题描述
JavaScript代码的包管理器(例如 npm
和 yarn
)使用 package.json
来指定顶级'依赖项,并创建锁定文件来跟踪所有软件包(即顶级和子级别依赖项).
此外, package.json
允许我们区分顶级依赖项的类型,例如 production 和 development
Python
,我们有 pip
.我想 lock
文件的 pip
等效项是 pip冻结>的结果.requirements.txt
.但是,如果仅维护单个 requirements.txt
文件,则很难区分顶级和子级依赖项(例如,需要 pipdeptree -r
找出答案).如果您想删除或更改顶级依赖项,这将是一个巨大的痛苦,因为很容易留下孤立的软件包(据我所知, pip
解决方案
今天至少有三个不错的选择:
-
pipenv
使用 pip ,因为它还可以创建和管理virtualenvs.这可能是当今最流行的选项,并且几乎可以肯定,它将取代许多开发人员工作流程中的
pip
. -
诗歌
使用pip-tools
提供了pip-compile
和pip-sync
命令.在这里,requirements.in
列出了您的直接依赖关系,通常具有宽松的版本限制,并且pip-compile
从您的.in
文件.我个人喜欢这个工具,因为它向后兼容(生成的
requirements.txt
可以由pip
处理)和pip-sync 代码>工具可确保virtualenv与锁定版本完全匹配,从而将锁定"中未包含的内容删除.文件.
Package managers for JavaScript
like npm
and yarn
use a package.json
to specify 'top-level' dependencies, and create a lock-file to keep track of the specific versions of all packages (i.e. top-level and sub-level dependencies) that are installed as a result.
In addition, the package.json
allows us to make a distinction between types of top-level dependencies, such as production and development.
For Python
, on the other hand, we have pip
. I suppose the pip
equivalent of a lock
-file would be the result of pip freeze > requirements.txt
.
However, if you maintain only this single requirements.txt
file, it is difficult to distinguish between top-level and sub-level dependencies (you would need for e.g. pipdeptree -r
to figure those out). This can be a real pain if you want to remove or change top-level dependencies, as it is easy to be left with orphaned packages (as far as I know, pip
does not remove sub-dependencies when you pip uninstall
a package).
Now, I wonder: Is there some convention for dealing with different types of these requirements
files and distinguishing between top-level and sub-level dependencies with pip
?
For example, I can imagine having a requirements-prod.txt
which contains only the top-level requirements for the production environment, as the (simplified) equivalent of package.json
, and a requirements-prod.lock
, which contains the output of pip freeze
, and acts as my lock
-file. In addition I could have a requirements-dev.txt
for development dependencies, and so on and so forth.
I would like to know if this is the way to go, or if there is a better approach.
p.s. The same question could be asked for conda
's environment.yml
.
There are at least three good options available today:
pipenv
usesPipfile
andPipfile.lock
similarly to how you describe the similar JavaScript files.pipenv
is a "bigger" tool thanpip
, in the sense that it also creates and manages virtualenvs.This is likely the most popular option available today, and it will almost certainly replace
pip
in many developers' workflows.poetry
usespyproject.toml
andpoetry.lock
files, also similarly to how you describe the JavaScript files.pip-tools
providespip-compile
andpip-sync
commands. Here,requirements.in
lists your direct dependencies, often with loose version constraints andpip-compile
generates locked downrequirements.txt
files from your.in
files.Personally, I like this tool since it's backwards-compatible (the generated
requirements.txt
can be processed bypip
) and thepip-sync
tool ensures that the virtualenv exactly matches the locked versions, removing things that aren't in your "lock" file.
这篇关于等价于`pip`的`package.json'和`package-lock.json`的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!