[zahlman]

Dependency metadata is published within packages - both for wheels (prebuilt) and sdists (source that requires a build step - these projects often include non-Python code, but you can still request an entirely pointless build step for a Python-only project. But please read https://pradyunsg.me/blog/2022/12/31/wheels-are-faster-pure-... and don't do that.)

PyPI even extracts it in most cases, to my understanding, so that installers can solve for the right versions of dependencies without downloading entire packages. (But the metadata for the project is still fragmented across multiple per-distribution files.)

However, source distributions are still allowed to have metadata - including dependencies - marked as "dynamic" (i.e., declaring that they'll be determined during the build process). This is rarely necessary (and probably happens much more often than is necessary), but a very complex project might for example have different dependencies based on specific details of the user's environment that aren't currently expressible in the existing environment markers (see https://peps.python.org/pep-0508/).

My experience with the Python ecosystem has been that it tries a bit too hard to make absolutely everyone happy (despite all the times that quite a few people end up unhappy). Today's concessions to backward compatibility always seem to make tomorrow's even harder to implement.