Converting Pinned Version Dependencies
Convert requirements.txt with exact version pins (==) to pyproject.toml format. Understand when to use pinned versions and how they translate between formats.
Detailed Explanation
Pinned versions using the == operator are the strictest form of version specification. They ensure reproducible builds by locking to an exact package version. This is common in production deployments and Docker containers.
Pinned requirements.txt:
django==4.2.8
psycopg2-binary==2.9.9
gunicorn==21.2.0
whitenoise==6.6.0
sentry-sdk==1.39.1
Converted to pyproject.toml:
[project]
dependencies = [
"django==4.2.8",
"psycopg2-binary==2.9.9",
"gunicorn==21.2.0",
"whitenoise==6.6.0",
"sentry-sdk==1.39.1",
]
When to use pinned versions:
- Production deployments where reproducibility is critical
- Docker images that should produce identical containers every time
- CI/CD pipelines where unexpected upgrades could break tests
- Lock files (
pip freezeoutput) for capturing the exact resolved state
Trade-offs of pinning:
Pinned versions prevent automatic security patches. Consider using a tool like dependabot, renovate, or pip-audit to monitor for vulnerabilities. In pyproject.toml, you typically specify flexible ranges in dependencies and use a lock file (like pip-tools or pdm.lock) for pinned resolution.
Note that pyproject.toml dependencies are meant to express abstract requirements, while pinned versions are better suited for lock files. Many projects use >= or ~= in pyproject.toml and pin exact versions in a separate lock file.
Use Case
Converting a production Docker deployment's requirements.txt with all exact version pins to pyproject.toml format for a project modernization effort.