pip and transitive dependencies

Mar 18, 2016 using tags python, pip, setup_py

Suppose you have python project project-a with a requirements.txt that looks like:


And project-b’s requirements.txt:


Now if you pip install project-a’s dependencies using something like pip install -r requirements.txt, you will be very sad to find that the python-dateutil library you have installed for project-a is actually the newest released version of python-dateutil, and not necessarily 2.4.2.

Why is this?

If a transitive dependency is not explicitly specified in a project’s requirements.txt, pip will grab the version of the required library specified in the project’s install_requires section (of setup.py). If this section does not explicitly pin a version, you end up getting the latest version of that library.

What should I do?

If your application needs a specific version of a transitive dependency, pin it yourself in your application’s requirements.txt file. Then pip will do the right thing. You do also have the option of pinning the version in setup.py itself, but this is considered bad form.

This was more of a reminder to myself rather an a TIL. Hopefully useful to you too!