Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
When not providing all dependencies yourself, you might suffer from people deleting the packages you depend on (IMHO a very rare scenario). If it is really that critical (hint: usually it isn't), create a local mirror of Pypi (full or only the packages you need). Devpi, Artifactory, etc. can do that or you just dump the necessary files into Cloud storage, so you have a backup.
If you commit a requirements.txt (instead), you are open to supply-chain attacks: Someone could hijack https://pypi.org (or your route to that domain) and provide a malicious version of the package. To prevent that, use use lockfiles (like Poetry & other do) which not only contain the package dependencies, but also their file hashes.
If you’re using poetry you really should be using https://github.com/python-poetry/poetry-plugin-export for this instead of you really need a requirements file.
pipenv solves this by having both kinds of requirement files: Pipfile lists package names and known constraints on which versions can be used, while Pipfile.lock gives specific package versions with hashes. Theoretically the Pipfile (and its lockfile) format were supposed to be a standard that many different tools could use, but I haven't seen it get adopted much outside of pipenv itself, so I'm not sure if it's really going to catch on.