Open asaha123 opened 3 years ago
FWIW if you go to the version specific page, then you'll get a version specific qualifier, e.g. https://pypi.org/project/python-json-logger/2.0.1/
This is similar to #9449, I think.
This encourages best practice to always pin your package.
I'm not sure about that. It's a good practice to have 2 sets of requirements, unpinned requirements that your project uses directly, and some sort of a lock file that contains both your direct and indirect dependencies, with pins and ideally hashes. That is what you'll get with pip-compile, poetry, pip-env, etc.
If you pin everything by default and have good dependency habits regarding security updates & such, it can work for you, but if you pin everything by default and call it a day, you're in for some troubles (how many projects have we all met where requirements.txt was append-only with pinned dependencies, and after a few years, it was a big mess...). With all that, if we have to choose between "pin everything" and "pin nothing" as the default behaviour PyPI suggest, I'd tend to prefer "pin nothing". That being said, it's not me who calls the shots.
What's the problem this feature will solve? Currently, when we click on "Copy to Clipboard" on a package's pypi page, we get the following copied to the clipboard:
pip install python-json-logger
(for example). This isn't ideal since we then have to manually copy the version number to either install a specific version or put in our requriements.text file.Describe the solution you'd like
The copied text could instead be
pip install python-json-logger==2.0.1
. This is similar to what crates.io (for rust offers).Additional context
This encourages best practice to always pin your package.