Streamlit Dependency packages

When we pip install streamlit, 25+ packages are getting installed and it scares users within enterprises. There are lot of security scrutiny, we are in a position to explain why we need so many packages. They all need to pass security clearance to get started. I love streamlit’s capabilities and easiness, but taking it through enterprise is a challenge. Not sure others have faced similar hindrance and how swiftly they are getting it cleared. I got lot of potential usecases, but need to clear initial roadblock. Any guidance would really help.

With great power comes big dependencies :smiley:

On a serious note, I think all of the dependencies in streamlit’s setup are very reliable libraries themselves, I am pretty sure no corporate would have issues with protobuf, pandas, pyarrow, numpy, requests, toml as such. You can point them to [packages] section under https://github.com/streamlit/streamlit/blob/develop/lib/Pipfile and dependencies section under https://github.com/streamlit/streamlit/blob/develop/frontend/package.json if they find anything objectionable in specific then it can be reviewed by a program analyst.

1 Like

To add on to @ash2shukla’s answer, we also do take adding dependencies seriously, to try and avoid the situation you are describing @vsuku:

Unfortunately, as a manner of open-source culture, when your dependencies import other dependencies, unfortunately you get a scenario where a bunch of packages tag along on the installation. For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a “requirement” for Streamlit.

I think the best thing you can do is appeal to authority in a way @ash2shukla suggests…the packages we require are pretty mainstream Python packages, so there isn’t too much we can do without removing functionality.

1 Like

For example, somewhere in our dependency chain, Jupyter gets installed, even though that does make sense as a “requirement” for Streamlit.

Caught my curiosity. I ran a DFS on streamlit dependencies and found your culprit :smiley:

’pydeck’ : {‘ipykernel’: {‘jupyter-client’: [“jupyter_core”, “notebook”], ‘ipywidgets’ }

1 Like

@ash2shukla You are right. Thanks. It takes time for getting clearance, but will deal with it.

@randyzwitch Thanks for the detailed response. Sure, will do my best and deal with the review boards. For certain domain verticals, its going to be extremely difficult., but for the rest, will be able to push.