相当于 `pip` 的 `package.json' 和 `package-lock.json`
问题描述
JavaScript
的包管理器,例如 npm
和 yarn
使用 package.json
来指定顶级' 依赖项,并创建一个 lock-file 来跟踪 所有作为结果安装的包(即顶级和子级依赖项).
Package managers for JavaScript
like npm
and yarn
use a package.json
to specify 'top-level' dependencies, and create a lock-file to keep track of the specific versions of all packages (i.e. top-level and sub-level dependencies) that are installed as a result.
此外,package.json
允许我们区分顶级依赖项的类型,例如 production 和 development.
In addition, the package.json
allows us to make a distinction between types of top-level dependencies, such as production and development.
另一方面,对于 Python
,我们有 pip
.我想 pip
等效于 lock
-file 将是 pip freeze > 的结果.requirements.txt
.
For Python
, on the other hand, we have pip
. I suppose the pip
equivalent of a lock
-file would be the result of pip freeze > requirements.txt
.
但是,如果您只维护这个单个 requirements.txt
文件,则很难区分顶级和子级依赖项(例如,您需要 pipdeptree -r
来解决这些问题).如果您想删除或更改顶级依赖项,这可能会很痛苦,因为很容易留下孤立的包(据我所知,pip
当你pip卸载
一个包时不会删除子依赖.
However, if you maintain only this single requirements.txt
file, it is difficult to distinguish between top-level and sub-level dependencies (you would need for e.g. pipdeptree -r
to figure those out). This can be a real pain if you want to remove or change top-level dependencies, as it is easy to be left with orphaned packages (as far as I know, pip
does not remove sub-dependencies when you pip uninstall
a package).
现在,我想知道:是否有一些约定来处理这些不同类型的 requirements
文件并用 区分顶级和子级依赖项点子
?
Now, I wonder: Is there some convention for dealing with different types of these requirements
files and distinguishing between top-level and sub-level dependencies with pip
?
例如,我可以想象有一个 requirements-prod.txt
仅包含生产环境的顶级需求,作为 package.json<的(简化)等价物/code> 和一个
requirements-prod.lock
,其中包含 pip freeze
的输出,并充当我的 lock
文件.此外,我可以有一个 requirements-dev.txt
用于开发依赖项,依此类推.
For example, I can imagine having a requirements-prod.txt
which contains only the top-level requirements for the production environment, as the (simplified) equivalent of package.json
, and a requirements-prod.lock
, which contains the output of pip freeze
, and acts as my lock
-file. In addition I could have a requirements-dev.txt
for development dependencies, and so on and so forth.
我想知道这是要走的路,还是有更好的方法.
I would like to know if this is the way to go, or if there is a better approach.
附言conda
的 environment.yml
可能会问同样的问题.
p.s. The same question could be asked for conda
's environment.yml
.
解决方案
今天至少有三个不错的选择:
There are at least three good options available today:
pipenv
使用Pipfile
和Pipfile.lock
类似于您描述类似 JavaScript 文件的方式.pipenv
是一个更大"的文件.比pip
更重要的工具,因为它还创建和管理 virtualenvs.
pipenv
usesPipfile
andPipfile.lock
similarly to how you describe the similar JavaScript files.pipenv
is a "bigger" tool thanpip
, in the sense that it also creates and manages virtualenvs.
这可能是当今最流行的选项,它几乎肯定会在许多开发人员的工作流程中取代 pip
.
This is likely the most popular option available today, and it will almost certainly replace pip
in many developers' workflows.
诗歌
使用pyproject.toml
和 poetry.lock
文件,也类似于您描述 JavaScript 文件的方式.
poetry
uses pyproject.toml
and poetry.lock
files, also similarly to how you describe the JavaScript files.
pip-tools
提供 pip-compile
和 pip-sync
命令.在这里,requirements.in
列出了您的直接依赖项,通常带有松散的版本约束,并且 pip-compile
从您的 requirements.txt
生成锁定的文件code>.in 文件.
pip-tools
provides pip-compile
and pip-sync
commands. Here, requirements.in
lists your direct dependencies, often with loose version constraints and pip-compile
generates locked down requirements.txt
files from your .in
files.
我个人喜欢这个工具,因为它向后兼容(生成的 requirements.txt
可以由 pip
处理)和 pip-sync
工具确保 virtualenv 与锁定的版本完全匹配,删除不在你锁定"中的东西.文件.
Personally, I like this tool since it's backwards-compatible (the generated requirements.txt
can be processed by pip
) and the pip-sync
tool ensures that the virtualenv exactly matches the locked versions, removing things that aren't in your "lock" file.
相关文章