{"slug": "closing-the-execution-gap-part-2-dependency-management", "title": "Closing the execution gap, Part 2: Dependency management", "summary": "Jhansi.io v0.3 introduces persistent dependency management for AI-generated code, eliminating the need for manual package installation in cloud sandboxes. The update automatically installs dependencies from manifests like `pyproject.toml` or `requirements.txt`, with fallback to auto-detection via `pipreqs`, and supports Python, Node, Go, and Java. Dependencies are scoped per sandbox workspace, preventing conflicts across runs while restricting egress to official registries for security.", "body_md": "*This is Part 2 of Closing the execution gap — a series on building jhansi.io, a cloud sandbox for AI-generated code.*\n\nThe first question I got after shipping persistent sandboxes was predictable:\n\n\"Great — but do I still have to pip install everything myself?\"\n\nYes. You did. That was embarrassing.\n\nIf the pitch is \"run AI-generated code with zero friction,\" making users manage deps manually is a contradiction. For regulated teams it's worse: every new package is a supply-chain review. Friction kills adoption.\n\nSo v0.3 fixes it.\n\nEvery sandbox starts as a clean container. Upload `main.py`\n\n, hit run, and you get:\n\n```\nModuleNotFoundError: No module named 'requests'\n```\n\nThe naive fix is to install at exec time. But downloading from PyPI on every run is slow, expensive, and brittle. `pandas`\n\n+ `numpy`\n\nis a 40s cold start. Run that 100 times and your AI agent burns budget before it does anything useful.\n\nThe right fix: install once, persist forever.\n\njhansi.io gives every sandbox a persistent workspace — a folder that survives across runs. In v0.3, dependencies live there too.\n\n`/sandbox/deps`\n\n, run your code.$ curl -X POST .../sandboxes/sb_abc123/exec -d '{\"filename\": \"main.py\"}'\n\n{\n\n\"output\": \"Installing requests==2.31.0...\\n200\\n\"\n\n}\n\n$ curl -X POST .../sandboxes/sb_abc123/exec -d '{\"filename\": \"main.py\"}'\n\n{\n\n\"output\": \"200\\n\"\n\n}\n\nThat's the difference between \"AI is too slow\" and \"AI is faster than a junior dev.\"\n\nHow do we know what to install? Both approaches, in the right order.\n\nIf you provide a manifest, we trust you. You know your deps better than any static analyser. If you don't, we fall back to auto-detection.\n\nPriority for Python:\n\n`pyproject.toml`\n\n→ `pip install`\n\n`requirements.txt`\n\n→ `pip install -r`\n\n`pipreqs`\n\nscan\n`pipreqs`\n\nisn't just `import requests`\n\n→ `requests`\n\n. It knows `import cv2`\n\nmeans `opencv-python`\n\n, `import sklearn`\n\nmeans `scikit-learn`\n\n. You don't have to remember.Using a manifest isn't just faster — it's auditable. Auditors can diff your pinned deps between runs. Auto-detect is for prototyping. More on auditability in Part 5.\n\nAI doesn't just write Python. jhansi.io handles the four languages LLMs generate most:\n\n| Language | Manifest detected | Install command | No manifest fallback |\n|---|---|---|---|\n| Python |\n`pyproject.toml` , `requirements.txt`\n|\n`pip install --target /sandbox/deps` |\n`pipreqs` auto-detect |\n| Node | `package.json` |\n`npm install` |\nRun as-is |\n| Go | `go.mod` |\n`go mod download` |\n`go mod init` + `go mod tidy`\n|\n| Java |\n`pom.xml` , `build.gradle`\n|\nMaven or Gradle | Direct `javac` compile |\n\nEach language keeps its own idioms. We don't impose a universal abstraction. Workspace-scoping means one sandbox's `torch==2.1.0`\n\ncan't poison another's `torch==1.13`\n\n. No dependency hell across AI runs.\n\nOne decision worth documenting: we don't vet what gets installed.\n\nEgress is restricted to official registries — PyPI, npm, Maven Central, `proxy.golang.org`\n\n— and nothing else. No arbitrary domains. What you install from those registries is your responsibility.\n\nThe contract is simple:\n\njhansi.io guarantees isolation. You own your code.\n\nThis is the same model as AWS Lambda or Cloud Run. We contain the blast radius. We don't audit your imports.\n\nSBOM per exec — a full list of every package installed, with versions and licenses — is on the roadmap. Today we contain. Tomorrow we curate.\n\nTwo things didn't make v0.3:\n\n`torch`\n\nis taking forever.`ImportError`\n\ntoday. We should surface the unlisted import in the response. Coming soon.\nNext in the series: `pip install`\n\nsafely now. But can you stop that package from exfiltrating your AWS credentials? What \"hard-sandboxed\" actually means, why Docker isn't enough, and the attacks most sandboxes miss.*jhansi.io is open source (Apache 2.0) at github.com/jhansi-io. Follow the series on Dev.to, LinkedIn, and X.*", "url": "https://wpnews.pro/news/closing-the-execution-gap-part-2-dependency-management", "canonical_source": "https://dev.to/thearun85/closing-the-execution-gap-part-2-dependency-management-3eah", "published_at": "2026-06-06 20:29:27+00:00", "updated_at": "2026-06-06 20:41:32.460747+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-tools", "ai-products", "ai-startups", "mlops"], "entities": ["jhansi.io", "PyPI", "requests", "pandas", "numpy"], "alternates": {"html": "https://wpnews.pro/news/closing-the-execution-gap-part-2-dependency-management", "markdown": "https://wpnews.pro/news/closing-the-execution-gap-part-2-dependency-management.md", "text": "https://wpnews.pro/news/closing-the-execution-gap-part-2-dependency-management.txt", "jsonld": "https://wpnews.pro/news/closing-the-execution-gap-part-2-dependency-management.jsonld"}}