[theptip]

Last time I looked, it was very tedious to set up `pip` to be secure and pin your dependencies to hashes. Without this, a compromise of a library's pypa account would allow them to execute arbitrary code on your system, assuming you didn't notice the change.

You can use `pip-tools` to get something like a Gemfile/package.json, but there are a few restrictions that are suboptimal.

So Pipenv/Poetry are the current best ways to get something like the package management story that other languages like Ruby and JS have had for a long time (and that Go's been polishing recently too).

[beagle3]

Conda does as well, and a hell of a lot more, not sure why it is so rarely mentioned.

[luhn]

What do you find restrictive about pip-tools? It's been working excellent for me.

[theptip]

I was going to say that pinning hashes seems to be painful, but since I last looked it now has a --generate-hashes flag.

Also if you want to link directly to a git repo, you can only install it in editable mode, you can't just install it with the rest of your packages (means you get a `src` directory where you ran pip, which makes Dockerizing slightly annoying, and probably impacts performance slightly).

Maybe this has also been fixed since I last upgraded.

[atugushev]

Since `pip-tools>=3.7.0` it supports links to git repo URLs without editable mode and --generate-hashes works as well (since 3.8.0 version).