相当于 `pip` 的 `package.json' 和 `package-lock.json` [英] Equivalent of `package.json' and `package-lock.json` for `pip`

问题描述

JavaScript 的包管理器，例如 npm 和 yarn 使用 package.json 来指定顶级' 依赖项，并创建一个 lock-file 来跟踪 所有作为结果安装的包(即顶级和子级依赖项).

Package managers for JavaScript like npm and yarn use a package.json to specify 'top-level' dependencies, and create a lock-file to keep track of the specific versions of all packages (i.e. top-level and sub-level dependencies) that are installed as a result.

此外，package.json 允许我们区分顶级依赖项的类型，例如 production 和 development.

In addition, the package.json allows us to make a distinction between types of top-level dependencies, such as production and development.

另一方面，对于 Python，我们有 pip.我想 pip 等效于 lock-file 将是 pip freeze > 的结果.requirements.txt.

For Python, on the other hand, we have pip. I suppose the pip equivalent of a lock-file would be the result of pip freeze > requirements.txt.

但是，如果您只维护这个单个 requirements.txt 文件，则很难区分顶级和子级依赖项(例如，您需要 pipdeptree -r 来解决这些问题).如果您想删除或更改顶级依赖项，这可能会很痛苦，因为很容易留下孤立的包(据我所知，pip 当你pip卸载一个包时不会删除子依赖.

However, if you maintain only this single requirements.txt file, it is difficult to distinguish between top-level and sub-level dependencies (you would need for e.g. pipdeptree -r to figure those out). This can be a real pain if you want to remove or change top-level dependencies, as it is easy to be left with orphaned packages (as far as I know, pip does not remove sub-dependencies when you pip uninstall a package).

现在，我想知道:是否有一些约定来处理这些不同类型的 requirements 文件并用 区分顶级和子级依赖项点子?

Now, I wonder: Is there some convention for dealing with different types of these requirements files and distinguishing between top-level and sub-level dependencies with pip?

例如，我可以想象有一个 requirements-prod.txt 仅包含生产环境的顶级需求，作为 package.json<的(简化)等价物/code> 和一个 requirements-prod.lock，其中包含 pip freeze 的输出，并充当我的 lock 文件.此外，我可以有一个 requirements-dev.txt 用于开发依赖项，依此类推.

For example, I can imagine having a requirements-prod.txt which contains only the top-level requirements for the production environment, as the (simplified) equivalent of package.json, and a requirements-prod.lock, which contains the output of pip freeze, and acts as my lock-file. In addition I could have a requirements-dev.txt for development dependencies, and so on and so forth.

我想知道这是要走的路，还是有更好的方法.

I would like to know if this is the way to go, or if there is a better approach.

附言conda 的 environment.yml 可能会问同样的问题.

p.s. The same question could be asked for conda's environment.yml.

推荐答案

今天至少有三个不错的选择:

There are at least three good options available today:

1. pipenv 使用 Pipfile 和 Pipfile.lock 类似于您描述类似 JavaScript 文件的方式.pipenv 是一个更大"的文件.比 pip 更重要的工具，因为它还创建和管理 virtualenvs.

1. pipenv uses Pipfile and Pipfile.lock similarly to how you describe the similar JavaScript files. pipenv is a "bigger" tool than pip, in the sense that it also creates and manages virtualenvs.

这可能是当今最流行的选项，它几乎肯定会在许多开发人员的工作流程中取代 pip.

This is likely the most popular option available today, and it will almost certainly replace pip in many developers' workflows.

诗歌使用pyproject.toml 和 poetry.lock 文件，也类似于您描述 JavaScript 文件的方式.

poetry uses pyproject.toml and poetry.lock files, also similarly to how you describe the JavaScript files.

pip-tools 提供 pip-compile 和 pip-sync 命令.在这里，requirements.in 列出了您的直接依赖项，通常带有松散的版本约束，并且 pip-compile 从您的 requirements.txt 生成锁定的文件code>.in 文件.

pip-tools provides pip-compile and pip-sync commands. Here, requirements.in lists your direct dependencies, often with loose version constraints and pip-compile generates locked down requirements.txt files from your .in files.

我个人喜欢这个工具，因为它向后兼容(生成的 requirements.txt 可以由 pip 处理)和 pip-sync 工具确保 virtualenv 与锁定的版本完全匹配，删除不在你锁定"中的东西.文件.

Personally, I like this tool since it's backwards-compatible (the generated requirements.txt can be processed by pip) and the pip-sync tool ensures that the virtualenv exactly matches the locked versions, removing things that aren't in your "lock" file.

这篇关于相当于 `pip` 的 `package.json' 和 `package-lock.json`的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！