Keywords: Python | requirements.txt | dependency management
Abstract: This article explores whether version specification is mandatory in Python requirements.txt files. By analyzing core challenges in dependency management, it concludes that while not required, version pinning is highly recommended to ensure project stability. It details how to select versions, use pip freeze for automatic generation, and emphasizes the critical role of virtual environments in dependency isolation. Additionally, it contrasts requirements.txt with install_requires in setup.py, offering tailored advice for different scenarios.
In Python project development, the requirements.txt file is a central tool for managing dependencies. A common question arises: is it necessary to specify versions for each package in this file? The answer is no, but from an engineering perspective, it is strongly advised to pin versions to ensure project reproducibility and stability.
Importance of Version Pinning
Although Python's pip tool allows omitting versions in requirements.txt, this can lead to "dependency hell." Without version specification, pip install installs the latest version, which may introduce breaking changes. For instance, if a project depends on the requests package, a new version might alter APIs, causing existing code to fail. By specifying a version, such as requests==2.18.4, all developers and deployment environments use the same dependency versions, preventing unexpected issues.
How to Choose Versions
For new packages, consider compatibility and stability when selecting versions. First, consult the package's official documentation or PyPI page to understand release history and recommended versions. Second, use the pip freeze command to automatically generate a list of installed packages with their versions. Execute in the terminal:
pip freeze > requirements.txtThis produces a file with exact versions, like pytz==2017.2. However, note that pip freeze includes all packages, even indirect dependencies, potentially bloating the file. Thus, it is advisable to manually maintain core dependencies, specifying only directly used packages.
Critical Role of Virtual Environments
Regardless of version specification, using virtual environments is a best practice in Python development. Tools like venv, virtualenv, or conda create isolated Python environments for each project, preventing dependency conflicts. For example, Project A might require numpy==1.18, while Project B needs numpy==1.20; virtual environments allow both to coexist. Tools such as pipenv further integrate dependency management with virtual environments, offering a more streamlined workflow.
requirements.txt vs. setup.py
When developing distributable packages, dependency management should be handled via the install_requires field in setup.py, not solely through requirements.txt. install_requires defines minimum dependency requirements for package installation, supporting version ranges like requests>=2.18.0. In contrast, requirements.txt is better suited for recording exact versions, facilitating deployment and environment replication. For example, in setup.py:
from setuptools import setup
setup(
name="example_package",
install_requires=[
"requests>=2.18.0",
"six"
]
)This allows flexible dependency handling, while fixed versions in requirements.txt ensure consistency.
Practical Recommendations and Conclusion
In summary, while version specification in requirements.txt is not mandatory, it greatly enhances project reliability. Adopt the following workflow: first, use virtual environments to isolate projects; second, record versions via pip freeze or manual specification; third, separate development and production dependencies, using requirements-dev.txt for testing tools. For open-source packages, prefer install_requires for loose dependencies, and lock versions with requirements.txt during deployment. This layered management strategy balances flexibility and stability, representing a mature practice in the Python ecosystem.