Streamlit Dependency packages

vsuku · August 26, 2020, 4:43pm

When we pip install streamlit, 25+ packages are getting installed and it scares users within enterprises. There are lot of security scrutiny, we are in a position to explain why we need so many packages. They all need to pass security clearance to get started. I love streamlit’s capabilities and easiness, but taking it through enterprise is a challenge. Not sure others have faced similar hindrance and how swiftly they are getting it cleared. I got lot of potential usecases, but need to clear initial roadblock. Any guidance would really help.

ash2shukla · August 26, 2020, 7:33pm

With great power comes big dependencies

On a serious note, I think all of the dependencies in streamlit’s setup are very reliable libraries themselves, I am pretty sure no corporate would have issues with protobuf, pandas, pyarrow, numpy, requests, toml as such. You can point them to [packages] section under https://github.com/streamlit/streamlit/blob/develop/lib/Pipfile and dependencies section under https://github.com/streamlit/streamlit/blob/develop/frontend/package.json if they find anything objectionable in specific then it can be reviewed by a program analyst.

randyzwitch · August 26, 2020, 7:38pm

To add on to @ash2shukla’s answer, we also do take adding dependencies seriously, to try and avoid the situation you are describing @vsuku:

github.com

streamlit/streamlit/blob/develop/lib/Pipfile#L27-L52


# IMPORTANT: We should try very hard *not* to add dependencies to Streamlit.
# And if you do add one, make the required version as general as possible.
altair = ">=3.2.0"
astor = "*"
base58 = "*"
blinker = "*"
boto3 = "*"
botocore = ">=1.13.44"
cachetools = ">=4.0"
click = ">=7.0"
enum-compat = "*"
numpy = "*"
packaging = "*"
pandas = ">=0.21.0"
pillow = ">=6.2.0"
protobuf = ">=3.6.0"
pyarrow = "*"
pydeck = ">=0.1.dev5"
python-dateutil = "*"
requests = "*"

This file has been truncated. show original

Unfortunately, as a manner of open-source culture, when your dependencies import other dependencies, unfortunately you get a scenario where a bunch of packages tag along on the installation. For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a “requirement” for Streamlit.

I think the best thing you can do is appeal to authority in a way @ash2shukla suggests…the packages we require are pretty mainstream Python packages, so there isn’t too much we can do without removing functionality.

ash2shukla · August 26, 2020, 8:03pm

For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a “requirement” for Streamlit.

Caught my curiosity. I ran a DFS on streamlit dependencies and found your culprit

‘pydeck’ : {‘ipykernel’: {‘jupyter-client’: [“jupyter_core”, “notebook”], ‘ipywidgets’ }

vsuku · August 27, 2020, 2:13am

@ash2shukla You are right. Thanks. It takes time for getting clearance, but will deal with it.

vsuku · August 27, 2020, 2:19am

@randyzwitch Thanks for the detailed response. Sure, will do my best and deal with the review boards. For certain domain verticals, its going to be extremely difficult., but for the rest, will be able to push.

Topic		Replies	Views
Looking for Streamlit dependency list 🎈 Using Streamlit	3	410	November 6, 2023
Using package from a private repo in Streamlit deploy ☁️ Community Cloud streamlit-cloud	5	1791	October 28, 2023
Why do we install streamlit with pip and not conda? 🎈 Using Streamlit	3	2670	March 17, 2023
Please Help in an error regarding installing packages 🎈 Using Streamlit	7	404	July 6, 2023
Issues with processing python dependencies in Streamlit Cloud ☁️ Community Cloud	7	864	September 21, 2023

Streamlit Dependency packages

Related Topics

Hello there 👋🏻

Cookie settings

Strictly necessary cookies

Performance cookies

Functional cookies

Targeting cookies