When we pip install streamlit, 25+ packages are getting installed and it scares users within enterprises. There are lot of security scrutiny, we are in a position to explain why we need so many packages. They all need to pass security clearance to get started. I love streamlitâs capabilities and easiness, but taking it through enterprise is a challenge. Not sure others have faced similar hindrance and how swiftly they are getting it cleared. I got lot of potential usecases, but need to clear initial roadblock. Any guidance would really help.
With great power comes big dependencies
On a serious note, I think all of the dependencies in streamlitâs setup are very reliable libraries themselves, I am pretty sure no corporate would have issues with protobuf, pandas, pyarrow, numpy, requests, toml as such. You can point them to [packages] section under https://github.com/streamlit/streamlit/blob/develop/lib/Pipfile and dependencies section under https://github.com/streamlit/streamlit/blob/develop/frontend/package.json if they find anything objectionable in specific then it can be reviewed by a program analyst.
To add on to @ash2shuklaâs answer, we also do take adding dependencies seriously, to try and avoid the situation you are describing @vsuku:
Unfortunately, as a manner of open-source culture, when your dependencies import other dependencies, unfortunately you get a scenario where a bunch of packages tag along on the installation. For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a ârequirementâ for Streamlit.
I think the best thing you can do is appeal to authority in a way @ash2shukla suggestsâŚthe packages we require are pretty mainstream Python packages, so there isnât too much we can do without removing functionality.
For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a ârequirementâ for Streamlit.
Caught my curiosity. I ran a DFS on streamlit dependencies and found your culprit
âpydeckâ : {âipykernelâ: {âjupyter-clientâ: [âjupyter_coreâ, ânotebookâ], âipywidgetsâ }
@randyzwitch Thanks for the detailed response. Sure, will do my best and deal with the review boards. For certain domain verticals, its going to be extremely difficult., but for the rest, will be able to push.