It makes sense to have requirements.txt be a lockfile, but trying to modify the version numbers of top-level dependencies can be a nightmare.
The proposed idea is to add a new file, requirements.in, that contains all top-level dependencies. These constraints can target a range or a specific version. We can then use pip-compile (from the pip-tools package, installable via pip install pip-tools) to generate a requirements.txt file:
Adding or updating version constraints in requirements.in should then result in pip-compile being run which can be enforced by adding an additional git hook on pre-commit.
It makes sense to have
requirements.txtbe a lockfile, but trying to modify the version numbers of top-level dependencies can be a nightmare.The proposed idea is to add a new file,
requirements.in, that contains all top-level dependencies. These constraints can target a range or a specific version. We can then usepip-compile(from thepip-toolspackage, installable viapip install pip-tools) to generate arequirements.txtfile:The lockfile can then be updated to the newest versions (as allowed by
requirements.in) by running:Adding or updating version constraints in
requirements.inshould then result inpip-compilebeing run which can be enforced by adding an additional git hook on pre-commit.