Mastering Python Dependency Management: From Libraries to Automated Updates

Library Dependencies

Python libraries should declare their dependencies in a generic way, using version ranges rather than fixed versions (e.g., requests>=2 or requests>=1,<2 ) to avoid conflicts when multiple libraries require different versions of the same package.

These specifications belong in setup.py so that any application can use the library alongside others.

Application Dependencies

Applications are a special case of libraries; they are typically not intended for reuse by other projects, but in practice nothing prevents it.

Therefore, you should declare application dependencies in setup.py just like you would for a library, while recognizing that applications are deployed to production and need reproducible environments.

Handling Deployment

The traditional requirements.txt file lists exact versions for each dependency, ensuring that each deployment installs the same set of packages. However, this alone does not guarantee full reproducibility because transitive dependencies may still vary.

Tools such as pipenv and poetry generate lock files that record the exact versions of all installed packages, including their own dependencies, making deployments 100% reproducible.

Handling Dependency Updates

With a lock file in place, the next challenge is keeping dependencies up to date. Using Dependabot on GitHub automatically creates pull requests when a newer version of a locked library becomes available, supporting requirements.txt , pipenv, and poetry workflows.

Automatic Deployment Updates

When Dependabot opens a pull request, your CI system can run tests and, if they pass, automatically merge the change. Tools like Mergify let you define precise merge rules so that updates can be applied without manual intervention, unless you explicitly block a specific version.

After a successful merge, you can trigger deployment hooks to update your production environment with the latest library versions, keeping your application secure and performant.

Side Note

The described dependency‑management lifecycle applies not only to Python but also to other ecosystems with similar patterns, such as Node.js and npm.