Dependency Injector
General Information
| Field | Value |
|---|---|
| Package Name | dependency-injector |
| Manufacturer / Vendor | Roman Mogylatov / ets-labs and contributors |
| Software Category | Framework |
| Primary Documentation | Documentation, GitHub, PyPI |
| Programming Language(s) | Python, Cython (performance-critical components) |
| License | BSD-3-Clause License |
| Deployed Version(s) | >=4.48.0 (version-locked at 4.48.3) |
| Most Recent Available Version | 4.48.3 |
| Last Review Date | 2026-01-27 |
Overview
Dependency Injector is a dependency injection framework for Python that implements the dependency injection and inversion of control principles. The framework consolidates object assembly in containers with explicitly defined dependency injections, making applications more flexible, testable, and maintainable. It provides a comprehensive set of providers for managing object lifecycles, configuration, and resource initialization, with native support for asynchronous operations and integration with major Python web frameworks including FastAPI, Flask, and Django.
Within the medical device software, Dependency Injector serves as the architectural foundation for managing dependencies across all microservices. It is integrated throughout the system's composition layer, enabling consistent dependency management across 68+ Python modules and 15+ container definitions. Specifically, Dependency Injector is used for:
- Composition root pattern: Centralizing object graph assembly in
DeclarativeContainerclasses that define all application dependencies, their lifecycles, and wiring relationships - Service lifecycle management: Managing singleton instances (database clients, HTTP clients, authentication services) and factory-created instances (use cases, domain services) with appropriate scoping
- Configuration externalization: Loading application settings from Pydantic models via
providers.Configuration().from_pydantic(), enabling environment-specific configuration without code changes - Resource lifecycle control: Managing initialization and cleanup of stateful resources (async HTTP clients, GPU providers, S3 clients) via
providers.Resourcewith proper startup/shutdown handling - FastAPI integration: Wiring dependency injection into FastAPI route handlers using
@injectdecorator andProvide[Container.dependency]syntax for clean separation of concerns - Conditional composition: Selecting implementation variants at runtime based on configuration (e.g., S3 vs Azure storage, primary vs fallback repositories) using
providers.Selector - Resilience patterns: Composing fallback mechanisms with circuit breakers by injecting primary and fallback repositories into resilient wrapper implementations
- Test isolation: Enabling comprehensive unit and integration testing by overriding providers with mocks without modifying production code
The library was selected for its:
- Mature, production-ready architecture with 10+ years of development and 5,100+ dependent projects
- Comprehensive provider types supporting all common dependency patterns (Singleton, Factory, Resource, Configuration)
- Native async/await support essential for the device's FastAPI-based microservices
- Zero direct dependencies, minimizing supply chain risk
- BSD-3-Clause license permitting commercial use in medical device software
- Strong community adoption (4,800+ GitHub stars) and active maintenance
Functional Requirements
The following functional capabilities of this SOUP are relied upon by the medical device software.
| Requirement ID | Description | Source / Reference |
|---|---|---|
| FR-001 | Define declarative containers for organizing dependency providers | containers.DeclarativeContainer base class |
| FR-002 | Provide singleton instances shared across application lifetime | providers.Singleton provider type |
| FR-003 | Create new instances on each request via factory pattern | providers.Factory provider type |
| FR-004 | Manage external configuration from multiple sources | providers.Configuration with .from_pydantic() method |
| FR-005 | Handle resource lifecycle with initialization and cleanup callbacks | providers.Resource provider type |
| FR-006 | Declare explicit dependencies that must be provided at runtime | providers.Dependency provider type |
| FR-007 | Select provider implementations conditionally based on configuration | providers.Selector provider type |
| FR-008 | Create callable factories for conditional logic | providers.Callable provider type |
| FR-009 | Aggregate multiple providers into collections | providers.List provider type |
| FR-010 | Wire containers to modules for automatic injection | container.wire(modules=[...]) method |
| FR-011 | Inject dependencies into functions via decorator | @inject decorator from dependency_injector.wiring |
| FR-012 | Reference container providers in function signatures | Provide[Container.provider] marker from dependency_injector.wiring |
| FR-013 | Initialize all resource providers at application startup | container.init_resources() method |
| FR-014 | Clean up all resource providers at application shutdown | container.shutdown_resources() method |
| FR-015 | Override providers for testing purposes | provider.override() method |
Performance Requirements
The following performance expectations are relevant to the medical device software.
| Requirement ID | Description | Acceptance Criteria |
|---|---|---|
| PR-001 | Provider resolution shall introduce minimal overhead to request handling | Provider resolution overhead < 1ms per dependency |
| PR-002 | Singleton providers shall return cached instances without re-instantiation | No duplicate instantiation of singleton-scoped dependencies |
| PR-003 | Container wiring shall complete within acceptable application startup time | Wiring completes as part of overall application startup (< 5 seconds) |
| PR-004 | Resource initialization shall support async patterns for non-blocking startup | Async resources initialize concurrently where possible |
Hardware Requirements
The following hardware dependencies or constraints are imposed by this SOUP component.
| Requirement ID | Description | Notes / Limitations |
|---|---|---|
| HR-001 | x86-64 or ARM64 processor architecture | Pre-built wheels available for common platforms |
| HR-002 | Sufficient memory for container state | Memory scales with number of singleton instances in containers |
Software Requirements
The following software dependencies and environmental assumptions are required by this SOUP component.
| Requirement ID | Description | Dependency / Version Constraints |
|---|---|---|
| SR-001 | Python runtime environment | Python >=3.8 (CPython 3.8-3.13) |
| SR-002 | FastAPI for web framework integration | Compatible FastAPI version |
| SR-003 | Pydantic for configuration loading | pydantic >=2.0 |
| SR-004 | No direct dependencies | Zero external runtime dependencies |
Known Anomalies Assessment
This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.
As of the review date (2026-01-27), no security vulnerabilities have been reported for the dependency-injector package. A comprehensive search of the National Vulnerability Database (NVD), GitHub Security Advisories, and Snyk's vulnerability database returned no CVEs or security advisories affecting this package. Snyk's security analysis assigns a health score of 82/100, with zero critical, high, medium, or low-severity vulnerabilities identified in version 4.48.3.
The project does not maintain a formal security policy document (GitHub Security tab); however, this represents a governance gap rather than a technical vulnerability. The maintainer has demonstrated responsiveness to issues reported through the standard GitHub issue tracker.
The package has zero direct dependencies, which significantly reduces supply chain risk exposure.
The device's usage pattern minimizes risk exposure:
- No dynamic code execution: The framework is used only for dependency wiring and provider resolution; no user-supplied code or configuration is executed through the container
- Compile-time container definitions: All containers are defined declaratively in code and validated at import time; no runtime container modification from external input
- Controlled provider overrides: Provider overriding is used exclusively in test environments; production code uses fixed container definitions
- Configuration validation: All configuration loaded via
from_pydantic()is validated against Pydantic models before being used by providers - Version locking: Requirements lock files pin dependency-injector to specific versions ensuring reproducible deployments
Risk Control Measures
The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:
- Version locking via requirements_lock.txt ensures reproducible, auditable deployments
- All container definitions are code-reviewed and statically defined
- Configuration sources are restricted to validated Pydantic settings loaded from controlled environment variables
- Provider overrides are restricted to test environments
- No user input flows directly into container configuration or provider definitions
- Zero direct dependencies minimizes supply chain risk exposure
Assessment Methodology
The following methodology was used to identify and assess known anomalies:
-
Sources consulted:
- National Vulnerability Database (NVD) search for "dependency-injector" and "python-dependency-injector"
- GitHub Security Advisories for the repository
- Snyk vulnerability database for package security analysis
- PyPI package security reports
- pip-audit and safety dependency vulnerability scanners
-
Criteria for determining applicability:
- Vulnerability must affect deployed version (4.48.3)
- Vulnerability must be exploitable through the device's dependency injection patterns
- Attack vector must be reachable through the device's interfaces (no external container definitions, no untrusted configuration sources)
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
- Approver: JD-001 General Manager