Show Licenses for Requirements.txt

[jakeBass]

Hi! I'm interested in being able to feed in a specific requirements.txt file and get the licenses for the packages listed in the file. There doesn't appear to be a CLI option supporting this. I'm curious -- does that seem like a reasonable feature? Thanks!

For reference, it could look something like:

pip-licenses --requirements-file=/path/to/requirements.txt

[stefan6419846]

You can just create a virtual environment, install your requirements there and use the --python option. I do not see an easier option for pip-licenses itself here as well due to iterating over the local package metadata.

[stefan6419846]

Most likely a duplicate of #108 as well.

[jakeBass]

Ah yup, I think this is a duplicate. Apologies as I couldn't find that, and didn't have a good understanding of how your library works (might be worth adding a brief How It Works section in the README?).

I am wondering if you've considered any alternate ways to get license info in the case where creating a venv is infeasible -- downloading the info from pypi or the package's repo possibly?

[stefan6419846]

The repository already states:

Dump the license list of packages installed with pip.

and

pip-licenses is a CLI tool for checking the software license of installed Python packages with pip.

So it already states that it is about local packages.

I am wondering if you've considered any alternate ways to get license info in the case where creating a venv is infeasible -- downloading the info from pypi or the package's repo possibly?

I am neither the maintainer nor the author of this package, but just a user. Nevertheless, IMHO this is out of scope for pip-licenses as this basically requires a completely different approach (fetching and parsing JSON from PyPI etc.) I am not aware of a corresponding package which would already implement this.

Speaking of myself, I already use a combination of pip-licenses and custom scanning of packages without having to install them, although without resolving any dependency chains due to pip-licenses providing me all the necessary Python package names.

[alper]

I can get the requirements.txt for a couple dozen repositories here but running all of them locally, installing all their packages and extracting the license information from there is a total non starter.

Weird that it's not possible to get this from requirements.txt or pyproject.toml.

[stefan6419846]

As already stated above, this is just how pip-licenses has been implemented, id est relying on importlib.metadata from the stdlib without doing any outbound network requests and being faster due to this (and reducing traffic). This usually is fine for projects you are actively working it as you will have a dedicated virtual environment anyway.

Implementing an alternative approach in another package is still feasible, but IMHO out of scope for pip-licenses due to using a completely different concept.

[alper]

OK. I've found that cdxgen works fine for my use case.