Removed unused runtime dependencies setuptools and toml

[rolweber]

Version 3.1.5 from PyPI declares dependencies on setuptools and toml:

Requires-Dist: setuptools (>=47.0.0)
Requires-Dist: toml (>=0.10.0,<0.11.0)

However, I found no reference to these dependencies in the installed code that comes with the package.

Are these dependencies leftovers from a time when EnvironmentParser (setuptools) and PoetryParser (toml) were still part of this codebase? Can they be dropped now?

[jkowalleck]

Thanks for the report, @rolweber
evidece: the sdist release contains the following

install_requires = \
['packageurl-python>=0.9',
 'setuptools>=47.0.0',
 'sortedcontainers>=2.4.0,<3.0.0',
 'toml>=0.10.0,<0.11.0']

caused by https://github.com/CycloneDX/cyclonedx-python-lib/blame/main/pyproject.toml#L47

[jkowalleck]

Can they [unused runtime dependencies] be dropped now?

Probably. Need to check the actual usage of the packages.
setuptools ships two python packages: setuptools and pkg_resources.
toml ships only on package: toml.

@rolweber would you create a pull request and change things to the behavior you'd expect?
If so, please keep our contribution guidelines in mind.

[rolweber]

Evidence:

1. I grepped for the package names, see below.
2. I removed the dependencies in question and was still able to build a BOM and output it as JSON.

ls -l cyclonedx*

cyclonedx:
total 12
drwxr-xr-x. 1 rolweber rolweber   98 Jan 13 11:29 exception/
drwxr-xr-x. 1 rolweber rolweber   64 Jan 13 11:29 factory/
-rw-r--r--. 1 rolweber rolweber  697 Jan 13 11:29 __init__.py
drwxr-xr-x. 1 rolweber rolweber  260 Jan 13 11:29 model/
drwxr-xr-x. 1 rolweber rolweber  108 Jan 13 11:29 output/
drwxr-xr-x. 1 rolweber rolweber   44 Jan 13 11:29 parser/
drwxr-xr-x. 1 rolweber rolweber   84 Jan 13 11:29 __pycache__/
-rw-r--r--. 1 rolweber rolweber  153 Jan 13 11:29 py.typed
drwxr-xr-x. 1 rolweber rolweber  488 Jan 13 11:29 schema/
-rw-r--r--. 1 rolweber rolweber 2071 Jan 13 11:29 spdx.py

cyclonedx_python_lib-3.1.5.dist-info:
total 36
-rw-r--r--. 1 rolweber rolweber     4 Jan 13 11:29 INSTALLER
-rw-r--r--. 1 rolweber rolweber 11357 Jan 13 11:29 LICENSE
-rw-r--r--. 1 rolweber rolweber  5878 Jan 13 11:29 METADATA
-rw-r--r--. 1 rolweber rolweber  6075 Jan 13 11:29 RECORD
-rw-r--r--. 1 rolweber rolweber     0 Jan 13 11:29 REQUESTED
-rw-r--r--. 1 rolweber rolweber    88 Jan 13 11:29 WHEEL

grep -r setuptools cyclonedx*

cyclonedx_python_lib-3.1.5.dist-info/METADATA:Requires-Dist: setuptools (>=47.0.0)

grep -r pkg_resources cyclonedx*

There's a _distutils_hack package in setuptools...
grep -r distutils cyclonedx*

grep -r toml cyclonedx*

cyclonedx_python_lib-3.1.5.dist-info/METADATA:Requires-Dist: toml (>=0.10.0,<0.11.0)

[rolweber]

There are references to toml and setuptools in pyproject.toml, poetry.lock, and requirements.lowest.txt. Also some comments regarding types-setuptools, which is supposed to be kept in sync with setuptools, but actually isn't (version 57 vs 47). As I am not familiar with poetry, your project setup looks very intricate and intimidating to me.

[jkowalleck]

To be honest, the situation is not critical to me as a maintainer.
Therefore, I do not intend to work on this soon.

So this is free for everyone who has a problem with the current situation. Feel free to raise a pull request to improve this library.
If so, please keep our contribution guidelines in mind. I will be happy to assist, if needed.

[madpah]

Included in 4.0.0 - now released.