# Beyond pip: Pipenv and poetry overview

**REQUIREMENT 1**

![image.png](attachment:b74638c2-01d5-412d-bee4-0d79359f5fd2.png)

**REQUIREMENT 2**

![image.png](attachment:5f9740a2-3afb-4b33-a49f-f73911d2d412.png)


## Requirement 1 problem

Here we’re listing **top-level** dependencies in either **requirements.txt** or **pyproject.toml**. Suppose we install this and there is a bunch of sub-dependencies that are not listed in the dependency file. One problem is that this is now non-deterministic. If we install the same requirement file tomorrow, some dependencies may already have a newer version. So this list is not a complete specification.

## Requirement 2 problem

The alternative would be to specify exactly what exactly every version of every sub-dependencies. This might be the output from **`pip freeze`**, for example. Now we get a very long list of dependencies which is also sub-optimal because maintaining versions of sub-dependencies is not feasible, instead, it is better to use the latest version of all the sub-dependencies. We don’t want to be responsible for keeping all those packages up to date due to a security update, additional support, efficiency, etc.

Also strictly specifying the version of all those sub-dependencies, makes it harder to install extra packages needed later because there is a big chance of version conflicts, and it will take time to resolve those. So in this case, the dependencies are defined in too much detail.

## Solution: Dependency locking

Both pipenv and poetry help us to solve the above-mentioned problems in both requirements using **dependency locking**.

We’ll separate top-level dependency declarations from actual installed tested versions. In other words, we’ll have two lists: 

* **Top-level dependencies declarations**
    * dependencies which are a must for the project and have strict version requirements.
    * dependencies which are a must for the project but doesn’t have strict version requirement → will always use the latest version.

* **Installed, and tested version**
    * sub-dependencies kept in a separate lock file, which is managed by the tool, such as `pipenv` & `poetry`.
    * it contains strict versions along with the hashes for security.
    * This allows for a **deterministic** situation where we know the exact version of all packages that we have installed and tested against without polluting our top-level list of dependencies that we actually depend on directly.

![image.png](attachment:423e348e-260b-47d3-a264-f4802f7bcf5b.png)

![image.png](attachment:ba295eb6-4ef5-427d-80c9-930214705d59.png)

> **NOTE:** 
> * *We can also use hashes with pip for security. It will look like as shown in the image below if we add the hashes to the dependencies in your requirements file.*
> * *The point is that the hash gives us something like a fingerprint of the contents of a package.*
> * *If the attacker tries to somehow sneak a package with the same name & version, but with some malicious code inside into our project, that won’t work because the hash value won’t match.*
> * *For any complex project, this way of managing dependencies using hashes is annoying.*
> * *If we want to use hash dependencies, it is better to use either pipenv or poetry instead because these tool makes it much easier to deal with hashes.*

# Differences between pipenv and poetry

![image.png](attachment:a45bac39-fd98-4414-a10c-f5511d359820.png)

![image.png](attachment:e8d57b67-d63f-4815-8810-fad8765a18c2.png)