| The docs for this mentions: > Including a package in a constraints file does not trigger installation of the package. Maybe I'm not following something but how do you get all of this to work like a lock file in other package managers? Let's use Ruby as a working example: 1. You start a new project and you have a Gemfile. 2. This Gemfile is where you define your top level dependencies very much like a requirements.txt file. You can choose to version lock these dependencies if you'd like (it's a best practice), but that's optional. 3. You run `bundle install` 4. All of your dependencies get resolved and installed 5. A new Gemfile.lock file was created automatically for you. This is machine generated and contains a list of all dependencies (top level and every dependency of every dependency) along with locking them to their exact patch versions at the point of running step 3. 6. The next time you run `bundle install` it will detect that a Gemfile.lock file exists and use that to figure out what to install 7. If you change your Gemfile and run `bundle install` again, a new Gemfile.lock will be generated 8. You commit both the Gemfile and Gemfile.lock to version control and git push it up At this point you're safe. If another developer clones your repo or CI runs today or 3 months from now everyone will get the same exact versions of everything you had at the time of pushing it. |
The top level dependencies go in requirements.txt and trigger installation of those packages. Everything else goes in the constraints file, which constrains the version that will be installed if something triggers an installation of the package, but it doesn't by itself trigger the installation - it only locks/constrains the versions.