shiv
shiv copied to clipboard
linkedin
packages / modules inside of a pyz are not used if present in root python path
I ran into an issue where my pyz packages pyyaml 5.1 but when run and extracted, the pyyaml it actually imported was an outdated version from the core python installation. This behavior seems consistent whether it is a package or module, part of the standard library or something installed into the root python etc.
Is this intended behavior and if so, is there a best practice?
hi @rhytnen
pyz files created with shiv modify the sys.path upon bootstrapping and place the packed dependencies before any other instances of site-packages or dist-packages. The precedence order should be as follows:
- $CWD & stdlib, since we don't package these, they are searched first during import. This is python's default behavior
- the dependencies included in your pyz
- any site packages on your local machine (so anything that may have been added via
sudo pip installorpip install --user) - any dist-packages, so anything that the OS maintainer includes by default
So when you say you have a version of pyyaml installed into your "core python" I presume you mean via pip install into the global site-packages, this should be evaluated after the pyyaml that's included in your pyz. The only scenario where it would be picked up first would be if you are running the pyz in the same $CWD as a pyyaml (since Python's default import order checks in $CWD first).
What version of shiv did you create the pyz with? Another helpful piece of debugging info would be to run SHIV_INTERPRETER=1 ./path/to/your/pyz and then copy/paste the output of import sys; print(sys.path)
thanks!
BTW, it would be a nice addition security-wise if there were a flag to remove the CWD from sys.path on bootstrap, to prevent code injection attacks.
