pip-tools keeps your pinned dependencies fresh.
Project description
pip-tools = pip-compile + pip-sync
A set of command line tools to help you keep your pip-based packages fresh, even when you’ve pinned them. You do pin them, right? (In building your Python application and its dependencies for production, you want to make sure that your builds are predictable and deterministic.)
Installation
Similar to pip, pip-tools must be installed in each of your project’s virtual environments:
$ source /path/to/venv/bin/activate
(venv) $ python -m pip install pip-tools
Note: all of the remaining example commands assume you’ve activated your project’s virtual environment.
Example usage for pip-compile
The pip-compile command lets you compile a requirements.txt file from your dependencies, specified in either pyproject.toml, setup.cfg, setup.py, or requirements.in.
Run it with pip-compile or python -m piptools compile. If you use multiple Python versions, you can also run py -X.Y -m piptools compile on Windows and pythonX.Y -m piptools compile on other systems.
pip-compile should be run from the same virtual environment as your project so conditional dependencies that require a specific Python version, or other environment markers, resolve relative to your project’s environment.
Note: If pip-compile finds an existing requirements.txt file that fulfils the dependencies then no changes will be made, even if updates are available. To compile from scratch, first delete the existing requirements.txt file, or see Updating requirements for alternative approaches.
Requirements from pyproject.toml
The pyproject.toml file is the latest standard for configuring packages and applications, and is recommended for new projects. pip-compile supports both installing your project.dependencies as well as your project.optional-dependencies. Thanks to the fact that this is an official standard, you can use pip-compile to pin the dependencies in projects that use modern standards-adhering packaging tools like Hatch or flit.
Suppose you have a Django application that is packaged using Hatch, and you want to pin it for production. You also want to pin your development tools in a separate pin file. You declare django as a dependency and create an optional dependency dev that includes pytest:
[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
[project]
name = "my-cool-django-app"
version = "42"
dependencies = ["django"]
[project.optional-dependencies]
dev = ["pytest"]
You can produce your pin files as easily as:
$ pip-compile -o requirements.txt pyproject.toml
#
# This file is autogenerated by pip-compile with python 3.10
# To update, run:
#
# pip-compile --output-file=requirements.txt pyproject.toml
#
asgiref==3.5.2
# via django
django==4.1
# via my-cool-django-app (pyproject.toml)
sqlparse==0.4.2
# via django
$ pip-compile --extra dev -o dev-requirements.txt pyproject.toml
#
# This file is autogenerated by pip-compile with python 3.10
# To update, run:
#
# pip-compile --extra=dev --output-file=dev-requirements.txt pyproject.toml
#
asgiref==3.5.2
# via django
attrs==22.1.0
# via pytest
django==4.1
# via my-cool-django-app (pyproject.toml)
iniconfig==1.1.1
# via pytest
packaging==21.3
# via pytest
pluggy==1.0.0
# via pytest
py==1.11.0
# via pytest
pyparsing==3.0.9
# via packaging
pytest==7.1.2
# via my-cool-django-app (pyproject.toml)
sqlparse==0.4.2
# via django
tomli==2.0.1
# via pytest
This is great for both pinning your applications, but also to keep the CI of your open-source Python package stable.
Requirements from setup.py and setup.cfg
pip-compile has also full support for setup.py- and setup.cfg-based projects that use setuptools.
Just define your dependencies and extras as usual and run pip-compile as above.
Requirements from requirements.in
You can also use plain text files for your requirements (e.g. if you don’t want your application to be a package). To use a requirements.in file to declare the Django dependency:
# requirements.in
django
Now, run pip-compile requirements.in:
$ pip-compile requirements.in
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile requirements.in
#
asgiref==3.2.3
# via django
django==3.0.3
# via -r requirements.in
pytz==2019.3
# via django
sqlparse==0.3.0
# via django
And it will produce your requirements.txt, with all the Django dependencies (and all underlying dependencies) pinned.
Updating requirements
pip-compile generates a requirements.txt file using the latest versions that fulfil the dependencies you specify in the supported files.
If pip-compile finds an existing requirements.txt file that fulfils the dependencies then no changes will be made, even if updates are available.
To force pip-compile to update all packages in an existing requirements.txt, run pip-compile --upgrade.
To update a specific package to the latest or a specific version use the --upgrade-package or -P flag:
# only update the django package
$ pip-compile --upgrade-package django
# update both the django and requests packages
$ pip-compile --upgrade-package django --upgrade-package requests
# update the django package to the latest, and requests to v2.0.0
$ pip-compile --upgrade-package django --upgrade-package requests==2.0.0
You can combine --upgrade and --upgrade-package in one command, to provide constraints on the allowed upgrades. For example to upgrade all packages whilst constraining requests to the latest version less than 3.0:
$ pip-compile --upgrade --upgrade-package 'requests<3.0'
Using hashes
If you would like to use Hash-Checking Mode available in pip since version 8.0, pip-compile offers --generate-hashes flag:
$ pip-compile --generate-hashes requirements.in
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile --generate-hashes requirements.in
#
asgiref==3.2.3 \
--hash=sha256:7e06d934a7718bf3975acbf87780ba678957b87c7adc056f13b6215d610695a0 \
--hash=sha256:ea448f92fc35a0ef4b1508f53a04c4670255a3f33d22a81c8fc9c872036adbe5 \
# via django
django==3.0.3 \
--hash=sha256:2f1ba1db8648484dd5c238fb62504777b7ad090c81c5f1fd8d5eb5ec21b5f283 \
--hash=sha256:c91c91a7ad6ef67a874a4f76f58ba534f9208412692a840e1d125eb5c279cb0a \
# via -r requirements.in
pytz==2019.3 \
--hash=sha256:1c557d7d0e871de1f5ccd5833f60fb2550652da6be2693c1e02300743d21500d \
--hash=sha256:b02c06db6cf09c12dd25137e563b31700d3b80fcc4ad23abb7a315f2789819be \
# via django
sqlparse==0.3.0 \
--hash=sha256:40afe6b8d4b1117e7dff5504d7a8ce07d9a1b15aeeade8a2d10f130a834f8177 \
--hash=sha256:7c3dca29c022744e95b547e867cee89f4fce4373f3549ccd8797d8eb52cdb873 \
# via django
Output File
To output the pinned requirements in a filename other than requirements.txt, use --output-file. This might be useful for compiling multiple files, for example with different constraints on django to test a library with both versions using tox:
$ pip-compile --upgrade-package 'django<1.0' --output-file requirements-django0x.txt
$ pip-compile --upgrade-package 'django<2.0' --output-file requirements-django1x.txt
Or to output to standard output, use --output-file=-:
$ pip-compile --output-file=- > requirements.txt
$ pip-compile - --output-file=- < requirements.in > requirements.txt
Forwarding options to pip
Any valid pip flags or arguments may be passed on with pip-compile’s --pip-args option, e.g.
$ pip-compile requirements.in --pip-args "--retries 10 --timeout 30"
Configuration
You might be wrapping the pip-compile command in another script. To avoid confusing consumers of your custom script you can override the update command generated at the top of requirements files by setting the CUSTOM_COMPILE_COMMAND environment variable.
$ CUSTOM_COMPILE_COMMAND="./pipcompilewrapper" pip-compile requirements.in
#
# This file is autogenerated by pip-compile
# To update, run:
#
# ./pipcompilewrapper
#
asgiref==3.2.3
# via django
django==3.0.3
# via -r requirements.in
pytz==2019.3
# via django
sqlparse==0.3.0
# via django
Workflow for layered requirements
If you have different environments that you need to install different but compatible packages for, then you can create layered requirements files and use one layer to constrain the other.
For example, if you have a Django project where you want the newest 2.1 release in production and when developing you want to use the Django debug toolbar, then you can create two *.in files, one for each layer:
# requirements.in
django<2.2
At the top of the development requirements dev-requirements.in you use -c requirements.txt to constrain the dev requirements to packages already selected for production in requirements.txt.
# dev-requirements.in
-c requirements.txt
django-debug-toolbar
First, compile requirements.txt as usual:
$ pip-compile
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile
#
django==2.1.15
# via -r requirements.in
pytz==2019.3
# via django
Now compile the dev requirements and the requirements.txt file is used as a constraint:
$ pip-compile dev-requirements.in
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile dev-requirements.in
#
django-debug-toolbar==2.2
# via -r dev-requirements.in
django==2.1.15
# via
# -c requirements.txt
# django-debug-toolbar
pytz==2019.3
# via
# -c requirements.txt
# django
sqlparse==0.3.0
# via django-debug-toolbar
As you can see above, even though a 2.2 release of Django is available, the dev requirements only include a 2.1 version of Django because they were constrained. Now both compiled requirements files can be installed safely in the dev environment.
To install requirements in production stage use:
$ pip-sync
You can install requirements in development stage by:
$ pip-sync requirements.txt dev-requirements.txt
Version control integration
You might use pip-compile as a hook for the pre-commit. See pre-commit docs for instructions. Sample .pre-commit-config.yaml:
repos:
- repo: https://github.com/jazzband/pip-tools
rev: 6.12.0
hooks:
- id: pip-compile
You might want to customize pip-compile args by configuring args and/or files, for example:
repos:
- repo: https://github.com/jazzband/pip-tools
rev: 6.12.0
hooks:
- id: pip-compile
files: ^requirements/production\.(in|txt)$
args: [--index-url=https://example.com, requirements/production.in]
If you have multiple requirement files make sure you create a hook for each file.
repos:
- repo: https://github.com/jazzband/pip-tools
rev: 6.12.0
hooks:
- id: pip-compile
name: pip-compile setup.py
files: ^(setup\.py|requirements\.txt)$
- id: pip-compile
name: pip-compile requirements-dev.in
args: [requirements-dev.in]
files: ^requirements-dev\.(in|txt)$
- id: pip-compile
name: pip-compile requirements-lint.in
args: [requirements-lint.in]
files: ^requirements-lint\.(in|txt)$
- id: pip-compile
name: pip-compile requirements.txt
args: [requirements.txt]
files: ^requirements\.(in|txt)$
Example usage for pip-sync
Now that you have a requirements.txt, you can use pip-sync to update your virtual environment to reflect exactly what’s in there. This will install/upgrade/uninstall everything necessary to match the requirements.txt contents.
Run it with pip-sync or python -m piptools sync. If you use multiple Python versions, you can also run py -X.Y -m piptools sync on Windows and pythonX.Y -m piptools sync on other systems.
pip-sync must be installed into and run from the same virtual environment as your project to identify which packages to install or upgrade.
Be careful: pip-sync is meant to be used only with a requirements.txt generated by pip-compile.
$ pip-sync
Uninstalling flake8-2.4.1:
Successfully uninstalled flake8-2.4.1
Collecting click==4.1
Downloading click-4.1-py2.py3-none-any.whl (62kB)
100% |................................| 65kB 1.8MB/s
Found existing installation: click 4.0
Uninstalling click-4.0:
Successfully uninstalled click-4.0
Successfully installed click-4.1
To sync multiple *.txt dependency lists, just pass them in via command line arguments, e.g.
$ pip-sync dev-requirements.txt requirements.txt
Passing in empty arguments would cause it to default to requirements.txt.
Any valid pip install flags or arguments may be passed with pip-sync’s --pip-args option, e.g.
$ pip-sync requirements.txt --pip-args "--no-cache-dir --no-deps"
Note: pip-sync will not upgrade or uninstall packaging tools like setuptools, pip, or pip-tools itself. Use python -m pip install --upgrade to upgrade those packages.
Should I commit requirements.in and requirements.txt to source control?
Generally, yes. If you want a reproducible environment installation available from your source control, then yes, you should commit both requirements.in and requirements.txt to source control.
Note that if you are deploying on multiple Python environments (read the section below), then you must commit a separate output file for each Python environment. We suggest to use the {env}-requirements.txt format (ex: win32-py3.7-requirements.txt, macos-py3.10-requirements.txt, etc.).
Cross-environment usage of requirements.in/requirements.txt and pip-compile
The dependencies of a package can change depending on the Python environment in which it is installed. Here, we define a Python environment as the combination of Operating System, Python version (3.7, 3.8, etc.), and Python implementation (CPython, PyPy, etc.). For an exact definition, refer to the possible combinations of PEP 508 environment markers.
As the resulting requirements.txt can differ for each environment, users must execute pip-compile on each Python environment separately to generate a requirements.txt valid for each said environment. The same requirements.in can be used as the source file for all environments, using PEP 508 environment markers as needed, the same way it would be done for regular pip cross-environment usage.
If the generated requirements.txt remains exactly the same for all Python environments, then it can be used across Python environments safely. But users should be careful as any package update can introduce environment-dependant dependencies, making any newly generated requirements.txt environment-dependant too. As a general rule, it’s advised that users should still always execute pip-compile on each targeted Python environment to avoid issues.
Other useful tools
pipdeptree to print the dependency tree of the installed packages.
requirements.in/requirements.txt syntax highlighting:
requirements.txt.vim for Vim.
Python extension for VS Code for VS Code.
pip-requirements.el for Emacs.
Deprecations
This section lists pip-tools features that are currently deprecated.
In future versions, the --allow-unsafe behavior will be enabled by default. Use --no-allow-unsafe to keep the old behavior. It is recommended to pass the --allow-unsafe now to adapt to the upcoming change.
Legacy resolver is deprecated and will be removed in future versions. Use --resolver=backtracking instead.
A Note on Resolvers
You can choose from either the legacy or the backtracking resolver. The backtracking resolver is recommended, and will become the default with the 7.0 release.
Use it now with the --resolver=backtracking option to pip-compile.
The legacy resolver will occasionally fail to resolve dependencies. The backtracking resolver is more robust, but can take longer to run in general.
You can continue using the legacy resolver with --resolver=legacy.
Versions and compatibility
The table below summarizes the latest pip-tools versions with the required pip and Python versions. Generally, pip-tools supports the same Python versions as the required pip versions.
pip-tools |
pip |
Python |
---|---|---|
4.5.* |
8.1.3 - 20.0.2 |
2.7, 3.5 - 3.8 |
5.0.0 - 5.3.0 |
20.0 - 20.1.1 |
2.7, 3.5 - 3.8 |
5.4.0 |
20.1 - 20.3.* |
2.7, 3.5 - 3.8 |
5.5.0 |
20.1 - 20.3.* |
2.7, 3.5 - 3.9 |
6.0.0 - 6.3.1 |
20.3 - 21.2.* |
3.6 - 3.9 |
6.4.0 |
21.2 - 21.3.* |
3.6 - 3.10 |
6.5.0 - 6.10.0 |
21.2 - 22.3.* |
3.7 - 3.11 |
6.11.0+ |
22.2+ |
3.7 - 3.11 |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pip-tools-6.12.0.tar.gz
.
File metadata
- Download URL: pip-tools-6.12.0.tar.gz
- Upload date:
- Size: 125.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f441603c63b16f4af0dd5026f7522a49eddec2bc8a4a4979af44e1f6b0a1c13e |
|
MD5 | 2c2d9b59ea209cd0fa3de4b560c1a56d |
|
BLAKE2b-256 | 357291b0284111ca3d43e14caa879bd1aeceb9480f81a679d40ce2ab7481969d |
File details
Details for the file pip_tools-6.12.0-py3-none-any.whl
.
File metadata
- Download URL: pip_tools-6.12.0-py3-none-any.whl
- Upload date:
- Size: 118.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8e22fbc84ede7ca522ba4b033c4fcf6a6419adabc75d24747be3d8262504489a |
|
MD5 | 708a18d2204b373b81bf9d5b603c1a8a |
|
BLAKE2b-256 | 175c2a97f23fc4d5e3d0e65c80c206453b8416a91ddaed0560869630538fa2d8 |