PyTrim: A Practical Tool for Reducing Python Dependency Bloat

from arxiv, Accepted in the Proceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering (ASE), Seoul, Korea. Supported by EU's Horizon 2021 research and innovation programme under grant agreement no. 101070599 (SecOPERA)

Dependency bloat is a persistent challenge in Python projects, which increases maintenance costs and security risks. While numerous tools exist for detecting unused dependencies in Python, removing these dependencies across the source code and configuration files of a project requires manual effort and expertise. To tackle this challenge we introduce PYTRIM, an end-to-end system to automate this process. PYTRIM eliminates unused imports and package declarations across a variety of file types, including Python source and configuration files such as requirements.txt and setup.py. PYTRIM's modular design makes it agnostic to the source of dependency bloat information, enabling integration with any detection tool. Beyond its contribution when it comes to automation, PYTRIM also incorporates a novel dynamic analysis component that improves dependency detection recall. Our evaluation of PYTRIM's end-to-end effectiveness on a ground-truth dataset of 37 merged pull requests from prior work, shows that PYTRIM achieves 98.3% accuracy in replicating human-made changes. To show its practical impact, we run PYTRIM on 971 open-source packages, identifying and trimming bloated dependencies in 39 of them. For each case, we submit a corresponding pull request, 6 of which have already been accepted and merged. PYTRIM is available as an open-source project, encouraging community contributions and further development. Video demonstration: https://youtu.be/LqTEdOUbJRI Code repository: https://github.com/TrimTeam/PyTrim

翻译：依赖膨胀是Python项目中长期存在的挑战，它会增加维护成本和安全风险。尽管已有多种工具可用于检测Python中未使用的依赖项，但在项目的源代码和配置文件中移除这些依赖项仍需人工操作和专业经验。为应对这一挑战，我们引入了PYTRIM——一个实现该过程自动化的端到端系统。PYTRIM能在多种文件类型（包括Python源文件及requirements.txt、setup.py等配置文件）中自动删除未使用的导入语句和包声明。其模块化设计使其不依赖于特定的依赖膨胀检测工具，可与任意检测工具集成。除自动化功能外，PYTRIM还包含一种新颖的动态分析组件，能提升依赖检测的召回率。我们在包含37个历史合并拉取请求的真实数据集上评估了PYTRIM的端到端效能，结果显示PYTRIM在复现人工修改方面达到98.3%的准确率。为展示其实用价值，我们对971个开源软件包运行PYTRIM，成功在39个软件包中识别并清理了冗余依赖。针对每个案例我们都提交了相应拉取请求，其中已有6个被接受并合并。PYTRIM已作为开源项目发布，以促进社区贡献和持续发展。视频演示：https://youtu.be/LqTEdOUbJRI 代码仓库：https://github.com/TrimTeam/PyTrim