[mrbungie]

This. And also try always to fix the version of the requirements, and that's it.

Never had a problem making reproducible builds doing so.

[Fethbita]

I had issues with exactly this method. One of my dependencies was pulled off to a paid model so my project no longer worked.

[mrbungie]

Anyone remember the leftpad fiasco in the node ecosystem? That could happen in any dependency system that allows owners to unpublish dependencies and that's one risk users must weigh when adding them.

[Alir3z4]

Yeah, I assume pinning the version is something everyone does? Or probably many just don't and will have those "python deps management is a mess drama".

TBH, I've seen tutorials or even some companies simply do `pip freeze > requirements.txt` :shrug: which is a mess.