Using pip-compile to generate full requirements

[jonathan-s]

Right now I'm not entirely sure what the status of the requirements.txt file actually is. It looks like we're trying to keep dependencies locked so that an update of a dependency won't inadvertently break the project.

Manually ensuring that each dependency is up to date can be a bit cumbersome especially if you commit to keeping track of transitive dependencies. I think a step in the right direction would be to use pip-compile, that way you'll only need to keep track of and update the top-most dependencies.

https://github.com/jazzband/pip-tools/

[sissbruecker]

Currently taking a look at pip-tools, being able to list app dependencies only, and having comments where transitive dependencies come from should make things easier. I guess dependabot should still be able to work with this setup, and will continue to suggest changes to the requirements files directly.

[sissbruecker]

Something like this: #618

[joshuadavidthomas]

Yep, dependabot works just fine with a setup revolving around pip-tools. That's what I use on any Django project I work on. Example dependabot PR: joshuadavidthomas/joshthomas.dev#250.

I generally run the pip-compile command with --allow-unsafe --resolver=backtracking --strip-extras to account for deprecations as well as --generate-hashes to generate the hashes for the packages in the resulting requirements.txt.