[Redoubts]

probably recording exact dependency versions, based on a loose requirements.txt and when it was built.

You may want this because you have a library that you shouldn't be pinning to the third decimal on a sem-ver package, but that you don't want to hiccup in CI due to a dot-release.

Or maybe you think a loose file your tooling can read, and a hyper-specific file your builder should read, is a better interface for a project.

[fhennig]

Yes, kind of like that. Except that it doesn't use requirements.txt but rather a file called Pipfile. In there you can also pin version, or leave them unspecified or only partially specified and you can also divide them in dev-packages and normal packages (so it allows for a bit more flexibility than a requirements.txt file).

[blondin]

a bit like "pip freeze > requirements.txt" then?

[vageli]

> a bit like "pip freeze > requirements.txt" then?

With the added bonus that it also contains a hash of the package so if someone pushes a new version with the same version number it would complain that the hashes don't match.