#What's new in pip 25.1 | Richard Si

Is pip slowly installing a large package (e.g., numpy)

Personally I would not use numpy as an example of a "large" package, whose wheels are between 5 and 22 MBs, I would use torch or tensorflow, which wheels can be between 68 and 700 MBs

I would mention in the pip lock section that the output is for the current environment, it is not a "universal" lock file like some tools might produce

You linked Krishan Bhasin's name to their github profile, but you didn't link my name to my github profile 🤨

I wrote a note about:

Speed up resolution by first only considering the “priorities” of candidates that must be required to complete the resolution.

Here: https://github.com/pypa/pip/issues/13185#issuecomment-2831698908

Great blog post as usual! Thanks for putting in the effort!

I generally do not link/attribute work done by maintainers. Stéphane isn't mentioned at all here.

But that's fair. I did mention your name, so I may as well add a link to your GitHub. Sorry about that!

I thought I linked to the pip lock documentation, but on a second read, I did not. Oops.

Yeah, I'm not actually that fussed, just the inconsistency jumped out at me and I thought it was funny, I would be happy for my name to not be there or be there or whatever

Your name will be on there for sure as it's common practice to say thanks for whoever reviewed your blog post ahead of time.

:)

Heh, thanks!

I do wish more people read them, though. If it were an official post, under the pip name, it'd probably get a decent amount of traffic (especially with the better SEO of pip.pypa.io), but such a change would be infeasible and I do not want to make this an official part of the project.

It's a major commitment and there's no way I'd want to offload this onto the pip release process. And I can't commit myself to writing these for every release. While I have no plans to stop, <life happens> and keeping it unofficially official keeps expectations flexible.

I was planning to make a small post that links to it on Reddit, I need to think of a mildly click baity title to get the upvotes and views, I've got in the 200-300 upvote range for pip releases in the past

lol amazing

I did a reddit post for my first post. It made the rounds, although most of its success came from its excellent SEO. People keep hitting the editable deprecation and my post ranks high for that.

I immediately redirect them to the deprecation issue as it contains the most up to date information, so I'd imagine the engagement stats are terrible, but I'm not keeping track of that, hahaha.

I think part of it too is that people have no idea who I am for the most part.

Also Reddit has insane SEO, so if you get upvotes on reddit to a link that usually helps the blog get good SEO

Pradyun is quite literally one of the most involved people in packaging. I am not.

That's higher than I thought it would be. I'm sure that the search results are being influenced in my post's favour, but generally, DPO ranks better (which makes sense as a well-established site).

And yeah, my titles are the utter opposite of clickbait. It's literally the most boring factual statement ever.

I just try and keep it mild on the click bait side:

https://www.reddit.com/r/Python/comments/1clx454/pip_241_beta_released_and_its_a_big_one/
https://www.reddit.com/r/Python/comments/12n5lai/pip_231_released_massive_improvement_to/

if I advertise dependency groups support in the title, that may help make it seem more appealing

it's not lying at all

People do like dependency groups, and lock files

(and now it feels I'm in a marketing promotion strategy meeting 😆 )

I'm going to start a blog soon, but I want to spend a bit of time understanding backends, I think I want it to be it's own domain, not github or something

other than release posts, I don't have any plans for blogging

Mine is going to have some spicy takes though, so I won't be associating with pip, lol

I don't have the patience or tenacity for it

So I have a domain name: floralily.dev, but I don't use it for my blog.

Maybe I should use it for that, but I guess I haven't felt like committing to it.

I think *.github.io domains generally have OK reputation. Probably not amazing, but there are some real serious websites hosted on GitHub Pages.

Yeah, that is true

The prominent "github" label is probably not ideal, but meh.

"All of $these-backends are hot garbage and should've never been created!!?"

Honestly, that'd probably rate as rather mild to only moderate depending on the exact language used. Python packaging is already decisive polarizing as hell, haha.

Ahaha, I wouldn't make spicy hot takes about backends, I don't know enough about them

I purposefully don't read HN or other spicy takes on packaging because I don't actually care that much for what the other projects are doing. I'm a pip maintainer and that's it. I care what the ecosystem is doing as a whole, not the individual projects unless it's pip.

I'd be so jaded otherwise.

I'm sure there is some spicy commentary on backends. I do agree that the fact we have so many backends for pure python projects does not make for a good user experience.

I'd love for there to be only one or two highly flexible backends designed for pure-python projects that all of the project tools wrap over. That way only developers with complex needs (compilation, etc.) would need a custom backend.

Of course, part of what makes the project workflow tools work is that they tightly control the backend and frontend. It's hard to design a cohesive experience without that control. I just think the resulting fragmentation is rather regrettable.

*this is ignoring the social implications too. It's exceedingly unlikely that the tool authors are going to want to cede control over their backend, and thus part of their design autonomy. There isn't anything wrong with that, that's part of being human, but yeah.

At the moment for me that's flit-core and hatchling, I was in fact going to write up an issue to suggest that maybe pip vendor flit-core so that it can be used offline when a matching version of the flit-core backend is requested, and that should be recommended for simple packages, but I don't know how much energy I have for that

I'd rather first work on improving pip's offline story in general. There's an issue asking for a --offline flag where pip tries to use cached packages aggressively.

If pip were to vendor backends, the decision of which backends we vendor becomes a hotly sensitive question. Unless we vendor all of them, we'd be taking a side. I don't want pip to be wading into that mess.

IIRC there was a bit drama with which backend is promoted most prominently in the Packaging User Guide. I'd like to keep that away from pip as much as possible. No drama of any kind, please.

Yes, that's why I don't have energy for it, but I'm strongly of the opinion that right now flit-core is the most, and probably only, reasonable backend that pip could vendor

It's the simplest, most stable, and second oldest

agreed

Excellent writeup, thank you!

On mobile, the video makes the screen extend to the right. It also makes it impossible to horizontally scroll the wide code snippets further down. Can you make the video stick in the column width? Perhaps width=100%

home-assistant -> Home Assistant

"a diagnostic error will be raised", this isn't an API, maybe "will be shown" or "reported"? (and same for "hash mismatch error would be raised")

" by end-users", remove hyphen

# pyproject.toml, in dark mode, the colour contrast ratio is too low making it hard to read. Aim for the WCAG AA accessibility guidelines of at least 4.5:1 https://dequeuniversity.com/rules/axe/4.10/color-contrast

"“We” believe that pip", remove quotes

"and rational sections" -> "rationale"

"an universal" -> "a universal"

"it is the on the roadmap" -> "it is on the roadmap"

Resolvelib -> ResolveLib

(Footnote 4: agreed. And even when you know a newer version is incompatible, you can set a ! x.y to skip a specific version and avoid an upper bound, in the hope the next version is fixed)

"deprecation of setup.py bdist_wheel installs", missing fullstop

Nice post.

Dependency Groups are the modern standardized replacement for requirements.txt

In my mind requirements.txt is the lockfile, so dependency groups is not a replacement for that?

In the pip lock section, is it worth mentioning pip lock -e . which will produce pylock.toml for the current project?

Ugh, dammit. I was having issues with getting the video to scale properly so I forced the width.

I'll try again to fix the CSS

# pyproject.toml, in dark mode, the colour contrast ratio is too low making it hard to read. Aim for the WCAG AA accessibility guidelines of at least 4.5:1 https://dequeuniversity.com/rules/axe/4.10/color-contrast
Gonna put the blame on hugo/whatever its syntax highlighting library is. This is out of my control, but is unfortunate.

oh ugh, I was more talking about how lots of people have test-requirements,txt and dev-requirements.txt that aren't locked. I removed that clarifying language at some point and never fixed it.

it can be overridden, but also not so high priority for a single comment on this page

Right, but the thing is that I have CSS for the code blocks themselves (I have lots of custom CSS) so it may not be a simple change.

I'll take a look later in the day. I'll get the content fixed as the release is being cut right now.

Video CSS is fixed 👍