Identify unused dependencies and avoid a bloated virtual environment.
Project description
creosote
Identify unused dependencies and avoid a bloated virtual environment.
⚡️ Quickstart
Install creosote in separate virtual environment (using e.g. pipx):
pipx install creosote
Scan virtual environment for unused dependencies (PEP-621 example below, but Poetry, Pipenv and requirements.txt files are also supported, see this table):
$ creosote
Found dependencies in pyproject.toml: distlib, dotty-dict, loguru, pip-requirements-parser, requests, toml
Oh no, bloated venv! 🤢 🪣
Unused dependencies found: requests
And after having removed/uninstalled requests:
$ creosote
Found dependencies in pyproject.toml: distlib, dotty-dict, loguru, pip-requirements-parser, toml
No unused dependencies found! ✨
Get help:
creosote --help
🤔 How this works
☘️ Required arguments
| Argument | Default value | Description |
|---|---|---|
--venv |
.venv |
The path to your virtual environment. |
--paths |
src |
The path to your source code, one or more files/folders. |
--deps-file |
pyproject.toml |
The path to the file specifying your dependencies, like pyproject.toml, requirements_*.txt | .in. |
--sections |
project.dependencies |
One or more toml sections to parse, e.g. project.dependencies. |
The creosote tool will first scan the given python file(s) for all its imports. Then it fetches all dependency names (from the dependencies spec file). Finally, all imports are associated with their corresponding dependency name (requires the virtual environment for resolving). If a dependency does not have any imports associated, it is considered unused.
See the main function in cli.py for a terse overview of the logic.
🌶️ Features
These optional features enable new/experimental functionality, that may be backward incompatible and may be removed at any time. Use at your own risk!
| Feature | Description |
|---|---|
fail-excluded-and-not-installed |
When excluding a dependency from the scan (using --exclude-deps) and if the dependency is removed from the dependency specification file (e.g. pyproject.toml), return with exit code 1. |
v3-args |
Use the new arguments, which will be used in creosote version 3.0.0. In version 2.x, the argument is specified once and then space-separated values, like -p <path1> <path2>. This will change in version 3.0.0, where you will have to define the argument for each value, like -p <path1> -p <path2>. I believe this is more common and caters better for different use cases. |
😤 Known limitations
importlibimports are not detected by the AST parser (a great first contribution for anyone inclined 😄, reach out or start here).
🥧 History and ambition
The idea of a project like this was hatched from having security vulnerability reports about production dependencies (shipped into production) which turned out to not not even be in use.
This can also help avoiding noise from bots like Dependabot or Renovate for dependencies you don't even need.
The goal of this project is to run the creosote tool in CI, which will catch cases where the developer
forgets to remove unused dependencies. An example of such a case could be when doing refactorings.
Note: Creosote supports identifying both unused production dependencies and developer dependencies. It all depends on what you would like to achieve.
🤨 FAQ
Which dependency specification tooling/standards are supported?
| Tool/standard | Supported | --deps-file value |
Example --sections values |
|---|---|---|---|
| PDM | ✅ | pyproject.toml |
project.dependencies,project.optional-dependencies.<GROUP>,tool.pdm.dev-dependencies |
| Pipenv | ✅ | pyproject.toml |
packages,dev-packages |
| Poetry | ✅ | pyproject.toml |
tool.poetry.dependencies,tool.poetry.dev-dependencies (legacy),tool.poetry.group.<GROUP>.dependencies |
Legacy Setuptools (setup.py) |
❌ | ||
PEP-508 (requirements.txt, pip-tools) |
✅ | *.[txt|in] |
N/A |
| PEP-621 | ✅ | pyproject.toml |
project.dependencies,project.optional-dependencies.<GROUP> |
📔 Notes on PEP-508 (requirements.txt)
When using requirements.txt files to specify dependencies, there is no way to tell which part of requirements.txt specifies production vs developer dependencies. Therefore, you have to break your requirements.txt file into e.g. requirements-prod.txt and requirements-dev.txt and use any of them as input. When using pip-tools, you likely want to point Creosote to scan your *.in file(s).
Can I specify multiple toml sections?
Yes, you can specify a list of sections after the --sections argument. It all depends on what your setup looks like and what you set out to achieve.
$ creosote --sections project.dependencies project.optional-dependencies.lint project.optional-dependencies.test
Can I exclude dependencies from the scan?
Yes, you can use the --exclude-deps argument to specify one or more dependencies you do not wish to get warnings for.
This feature is intended for dependencies you must specify in your dependencies spec file, but which you don't import in your source code. An example of such a dependency are database drivers, which are commonly only defined in connection strings and will signal to the ORM which driver to use.
$ creosote --exclude-deps pyodbc starlette
Can I run Creosote in a GitHub Action workflow?
Yes, please see the action job example in .github/workflows/test.yml.
Can I run Creosote with pre-commit?
Yes, see example in .pre-commit-config.yaml.
Here's another example setup, if already have Creosote installed onto $PATH (via e.g. pipx).
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: system
name: creosote
entry: creosote --venv .venv --paths src --deps-file pyproject.toml --sections project.dependencies
pass_filenames: false
files: \.(py|toml|txt|in|lock)$
language: system
What's with the name "creosote"?
This tool has borrowed its name from the Monty Python scene about Mr. Creosote.
📰 Creosote in the "news"
Because it makes me happy to see this tool can help others! 🥰
👩🔬 Development/debugging info
Install in-development builds
You can run in-development versions of Creosote. Examples below:
# Creosote build from main branch
$ pipx install --suffix=@main --force git+https://github.com/fredrikaverpil/creosote.git@main
$ creosote@main --venv .venv ...
$ pipx uninstall creosote@main
# Creosote build from PR #123
$ pipx install --suffix=@123 --force git+https://github.com/fredrikaverpil/creosote.git@refs/pull/123/head
$ creosote@123 --venv .venv ...
$ pipx uninstall creosote@123
🚀 Releasing
- Bump version in
src/creosote/__about__.pyand.pre-commit-config.yaml. - GitHub Action will run automatically on creating a release and deploy the release onto PyPi.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
