There are at least three good options available today:
-
Poetry uses
pyproject.toml
andpoetry.lock
files, much in the same way thatpackage.json
and lock files work in the JavaScript world.This is now my preferred solution.
-
Pipenv uses
Pipfile
andPipfile.lock
, also much like you describe the JavaScript files.
Both Poetry and Pipenv do more than just dependency management. Out of the box, they also create and maintain virtual environments for your projects.
-
pip-tools
providespip-compile
andpip-sync
commands. Here,requirements.in
lists your direct dependencies, often with loose version constraints andpip-compile
generates locked downrequirements.txt
files from your.in
files.This used to be my preferred solution. It’s backwards-compatible (the generated
requirements.txt
can be processed bypip
) and thepip-sync
tool ensures that the virtualenv exactly matches the locked versions, removing things that aren’t in your “lock” file.