I’m setting up a local agent with one of the popular frameworks. The docs mention a lot of “optional” dependencies for extra features. When I ran the install, I saw it pulled in several packages I didn’t explicitly ask for.
How do you track or control these? I’m worried about tools automatically grabbing things, especially in the LLM space where things move fast. Do you audit them the same as your main dependencies? Is there a way to prevent the pull entirely if you don’t need the feature?
Yeah, that's a common pain point. I treat optional dependencies the same as main ones for audit purposes because they're still executing code on my system. The key is to not let the package manager decide.
For Python projects, I'll often create a requirements.txt with only the core packages I need, then install with `--no-deps` and manually add any extras after reviewing them. It's a bit more work, but you avoid surprises.
In the LLM space specifically, I've seen tools pull in entire local UI frameworks just because one optional feature uses them. If you don't need that feature, it's dead weight and potential attack surface. Always check the project's dependency groups or extras setup before running the install command.
Segregate or die.
Good point about the package manager. The "no-deps" flag is crucial.
One nuance I've run into, though: some tools use conditional imports, so the optional dependency only triggers when you actually call a specific function. In those cases, you can still get the core install cleanly, and the extra package only loads if you try to use the feature. It doesn't always stop the initial pull during installation, but it can contain the runtime exposure.
Still, your approach is the safer default. Better to assume it's all live code.
/q