[adaszko]

With pip for instance, it often happens that a transitive dependency gets updated inadvertently breaking your code. This follows from the assumption that all packages follow semantic versioning perfectly and keep backward compatibility where they should. This is not the case in practice and experience has shown it is unrealistic to have that assumption. A better way is to rely on exact versions of packages (up to a single bit) and not on semantic versioning.

[icebraining]

How would you updated something inadvertently?

[LyndsySimon]

If the specific version of a dependency (or subdependency) isn't pinned, then the next time the package is installed in another environment it'll get the most recent matching version. That version might break your code.

If the specific version of all subdependencies are pinned, then you have a mess on your hands of keeping track of what's actually required. You have to either manually maintain your requirements.txt, or you run the risk of removing a dependency and missing the removal of its subdependencies.

Further, you can't just upgrade everything, but dependencies might have conflicting version requirements for subdependencies.

[EdwardDiego]

Transitive dependencies... it seems to be common in Python libs to express dependencies using version ranges - but then version 18.1 breaks something that worked under 18.0 - which isn't what you'd expect if it followed semver.