Do any languages specify package requirements in import / include statements?
It seems to me that a reasonable design decision, especially for a scripting language like python, would be to allow specification of versions in the import statement (as pipreqs does) and then have a standard installation process download and install requirements based on those versioned import statements.
I realize there would be downsides to this idea. For example, you have to figure out what happens if different versions of a requrement are specified in different files of the same package (in a sense, the concept of "package" starts to weaken or break down in a case like that). But in some cases, e.g. a single-file python script, it seems like it would be great.
So, are there any languages whose standard installer / dependency resolvers download dependencies based on the import or include statements?
Has anyone hacked or extended python / setuptools to work this way?
88 comments
[ 3.1 ms ] story [ 155 ms ] threadPackage management is important, but other stuff might be more important.
That said: I enjoy go. Is it perfect? No! It feels like the old days with python. I expected a lot more from the golang type checker. Lots of basics are not there (reverse a string? Write your own function. Etc.)
Reversing a string is not a basic operation. A) why would you ever need to do it in the real world? B) reversing Unicode is non-trivial due to composing characters. There are packages available for Go that implement grapheme segmentation. If you need it, you can import one.
In some sense the best answer to "write me a string reversal function" in an interview is to say that no such function even exists anymore; I can write you a byte reversal function if you like, or we can sit down and hammer out a definition of some function I can write for you but it won't necessarily be a "string reverse". Best you can do nowadays is iterate on "graphemes as defined in this specific Unicode standard" and reverse those, but IIRC even that has some pathological edge cases, some of which are not really resolvable. Human languages as a whole are quite quirky.
It doesn't. The name that you use for a third-party library in software generally isn't remotely enough information to obtain it, and it would be bad to have an ecosystem where it were - since you'd be locked in to implementations for everything and couldn't write software that dynamically (even at compile time) chooses a backend. On the other hand, many people need to care about the provenance of a library and e.g. can't rely on a public repository because of the risk of supply-chain attacks. Lockfiles - like the sort described in the draft PEP 751 (https://peps.python.org/pep-0751/), or e.g. Gemfile.lock for Ruby) - include a lot more information than a package name and version number for that reason (in particular, typically they'll have a file size and hash for the archive file representing the package).
>It seems to me that a reasonable design decision, especially for a scripting language like python, would be to allow specification of versions in the import statement (as pipreqs does) and then have a standard installation process download and install requirements based on those versioned import statements.
It's both especially common for naive Python developers to think this makes sense, and especially infeasible for Python to implement it.
First off, Python modules are designed as singleton objects in a process-global cache (`sys.modules`). Code commonly depends on this for correctness - modules will define APIs that mutate global state, and the change has to be seen program-wide.
Even if the `import` syntax, the runtime import system and installers all collaborated to let you have separate versions of a module loaded in `sys.modules` (and an appropriate way to key them), it'd be impractical for different versions of the same module to discover each other and arrange to share that state. Plus, library authors would have to think about whether they should share state between different versions of the library. There are probably cases where it would be required for correctness, and probably cases where it must not happen for correctness. And it's even worse if the library author ever contemplates changing that aspect of the API.
Second, there's an enormous amount of legacy that would have to be cleaned up. Right now, there is no mapping from import names to the name you install - and there cannot be, for many reasons. Most notably, an installable package may legally provide zero or more import names.
I wrote about this recently on my blog: https://zahlman.github.io/posts/2024/12/24/python-packaging-... (see section "Your package name that ain't what you `import`, makes me frustrated").
Third, Python is just way too dynamic. An `import` statement is a statement - i.e., actual code that runs when the code does, a step at a time, not just some compile-time directive or metadata. It can validly be anywhere in the file (including within a function - which occasionally solves real problems with circular imports); you can validly import modules in other ways (including ones which bypass the global cache by default - there are good system architecture reasons to use this); and the actual semantics can be altered in a variety of ways (the full system is so complex that I can't even refer you to a single overall document with a proper overview).
> For example, you have to figure out what happens if different versions of a requrement are specified in different files of the same package (in a sense, the concep...
A fair amount of the time, I do notice that my writing could have an unintended, uncharitable reading like that, but I either can't think of a good way to improve it or (more commonly) just don't feel responsible for doing so. Tone of voice is notoriously hard to communicate; even explicit markers (such as smilies) are often more easily interpreted as sarcastic or insincere.
I especially don't like adding a lot of words to try to avoid giving that impression - because when other people do it, I often feel like they're wasting my time with all the extra words I have to read. (But of course, they don't know that I was already willing to read them charitably....)
It may be of interest if you want more people to look at Paper or bbbb though. But that may also not be what you want, or attract users you don’t want. We all make software for a variety of reasons!
Change naive to beginner in all your writing. Naive brings a negative connotation with it always (unless you truly intend to insult the other person).
And you could just drop "fortunately for you" since it adds nothing to the statement and technically takes longer to write than just dropping it.
I think what you describe really only makes sense for a single file script. I _do not_ want to manage dependency hell within my own source files.
Groovy is a Java variant that runs on the JVM that allows you to add dependencies as annotations. I believe it uses Maven in the back-end, but it's just so convenient for scripts etc.
[0] https://rust-lang.github.io/rfcs/3424-cargo-script.html
https://bundler.io/guides/bundler_in_a_single_file_ruby_scri...
But I recognize that isn't quite what the questioner is asking, because at least in ruby you are still going to need "require" statements (unless you have an autoloader) to actually load the code, the inline `gemfile` specifies your dependencies, which is different than a require/import statement to actually load code from possibly one of those dependencies.
> I realize there would be downsides to this idea. For example, you have to figure out what happens if different versions of a requrement are specified in different files of the same package (in a sense, the concept of "package" starts to weaken or break down in a case like that). But in some cases, e.g. a single-file python script, it seems like it would be great.
To fully support this, we'd need a top-down compilation model like Zig so we could discover dependencies in the current project. Today, we have to do bottom-up compilation, knowing all dependencies a priori.
A downside to any of this is it is expensive to do any any dependency management
- Introspecting dependencies requires parsing every file in every part of your dependency tree
- Editing dependencies requires walking every file in your project
- version constraints - source of packages (you may want to host them yourself one day) - any additional metadata (some packages have options or features)
For example… let’s say you have just plain search-replace and no smart tools. You need to update github.com/abc/def to github.com/abc/def/v2. This is a search-replace operation.
This only happens when packages publish breaking changes. The minor version is stored in go.mod.
Every language starts the way you describe, then needs are added.
What is complex versioning? In Go, you specify a minimum minor version, and breaking changes change the package name & import path (or they’re supposed to). Why would I want complex versioning? The underlying problem that versioning solves is complicated, but that doesn’t mean you benefit from a complex versioning scheme.
gofmt -w -r '"github.com/abc/def" -> "github.com/abc/def/v2"' .
That won't do subpackages though.
Nowadays, the version constraints are specified in go.mod. Because the fully-qualified package names are used to import them, you can reconstruct go.mod from the sources, assuming that you don’t care about version numbers.
The source code says which packages, the go.mod file says which versions. (Major versions have different import paths.)
https://bundler.io/guides/bundler_in_a_single_file_ruby_scri...
https://deno.com/blog/http-imports
PS: also Godbolt's C/C++ compilers can directly #include from URLs, I guess they run their own custom C preprocessor over the code before passing it on to the compilers:
https://www.godbolt.org/z/6aTKo4vbM
FWIW, that's a native JS feature (minus the TS part).
Disclosure: I’m the founder.
[0] https://w3c.github.io/webappsec-subresource-integrity
Just import everything! Nuget packages, local dlls, other F# script files, you name it. It's so good. No extra ceremony. And when you open it in VS Code with Ionide - you get full support of the language server, documentation and syntax highlighting to know that your script is correct.
Night and day difference with standard scripting languages.
This is where it breaks down a bit.
Importing the same script file twice leads to errors, so you must manually ensure exactly once imports across your dependency tree of scripts.
This is where C/C++ code reaches for include guards, but F# does not have a define pre-processor command (unlike C#).
But for something like loading a dependency for Java or rust, I don‘t think something like this would make sense. Or maybe I’m just too accustomed to the Maven way of doing things.
In Firefly, you can specify dependencies at the top of the file:
https://www.firefly-lang.org/
When your project grows, you can move the dependencies to a single shared project file.
Also e.g. https://p3rl.org/lib::xi will automatically install deps as it hits them, and the JS https://bun.sh/ runtime does similar natively (though I habitually use 'bun install <thing>' to get a package.json and a node_modules/ tree ... which may be inertia on my part).
Th e perl use is a pure >= thing though, whereas I believe raku (née perl6) has
and similar but I'm really not at all an expert there.[0] it's perl so there's more than one although META.json and cpanfile are both supported by pretty much everything I recall caring about in the past N years
It supports git-links as well as package names in repos and versions.
Also happens to be a very nice and capable scripting platform, with a reasonably small runtime.
use Foo::Bar:ver<0.1.2+>:auth<zef:name>:api<2>;
would only work if the at least version 0.1.2 of the Foo::Bar module was installed, authored by "zef:name" (basically ecosystem + nick of author), with API level 2.
Note that modules can be installed next to each other that have the same name, but different authorities and different versions.
Imports from modules are lexical, so one could even have one block use one version of a module, and another block another version. Which is handy when needing to migrate date between versions :-)
That said, I'm not sure it is exactly what you are asking. They still somewhat expect you to have the system defined in a central spot as far as what all you depend on. Which I think you are almost always going to want.
That is, if you want individual files to be able to specify dependencies, that is probably doable; but you are almost certainly going to want something to pull those up to a central spot. If only so that you can work with it as a cohesive unit?
I get that you can feel these are somewhat redundant. But they are also meaningful? You could, similarly, not use any imports on a Java program and just fully qualify names as you use them. Such that imports could similarly be seen as redundant/unnecessary. At some point, you will want a place to say what names can and cannot be used in execution. Which ultimately puts you back in the same game.
asdf systems can specify a version of a system it depends on.
- JS: Deno and Bun
- Scala: Scala CLI and Ammonite
- Python: fades (https://github.com/PyAr/fades)
> Any chunk of the language can be replaced with a hash.
> These chunks are called “scraps”.
> Scraps are stored/cached/named/indexed in global distributed “scrapyards”.
[0]: https://scrapscript.org/
Specifying a specific package version in your source directly would be like having a function with arguments, then removing one of those arguments and replacing it with a local variable with the same name that you hardcode to a specific value. It is a perfectly fine thing to do if that argument really should only ever have that specific value, but it is a fairly "fundamental" source code change; your function has fewer arguments and a hardcoded value now!
To be fair, as far as I am aware, no commonly used language seems to understand the distinction and syntactically distinguishes build arguments from build parameters. What you should have is a specific syntactic operation that specifies a argument that takes type "package", a separate, distinct syntactic operation that instantiates a specific package and binds it to a name, and a separate distinct syntactic operation that passes in a package instance to a argument. Then your build system is just instantiating specific packages and passing them as arguments to your files with imports.
In your case, you would then just be instantiating specific packages and assigning them to a "common" name. You would have no "imports" in this sense as you have no arguments, only "local variables", and thus the build system would need to do nothing as there are no "arguments" to your file. That or your build system still instantiates the packages, but as "global variables" assigned to names of your choosing, that you would then just reference in your contained file.
And about the parameters thing, often times your code will only work with a specific major version of some dependency. You could switch versions, but it'd require editing the code.
It is like defining a function, f(x) and then asking for how to make x = 5 always. Well, you get rid of the parameter and create a local variable in the function named x and set it to 5. That is a perfectly reasonable thing to do.
But, it would be utterly absurd to make function argument declaration look exactly the same as local variable declaration and initialization. You should have distinct syntax for those two very different operations.
Unfortunately, for build arguments and parameters, every commonly used language I am aware of either only supports one form and punts the other form to the build system or attempts to do both using the same form. That is why it is a mess.
As for versioning, that is actually a “type” problem. When you take a parameter in a function you are usually expecting it to conform to some type or interface guarantees. Build arguments should do the same, but again, I am not aware of any languages that actually manifest the “type” of a package that can be used in a build argument. So, we are stuck with the wonderful world of untyped build arguments that we shoehorn in with “type annotations” (i.e. version ranges) in the build system.
It's part of the language that you can specify a complete URI in an import statement, and a URI for a library really should include a version number somehow.