I have installed the a Python Package with pip install pyjwt[crypto] and pip freeze shows me different packages that was installed by that action.
What do I need to put in my requirements.txt to correctly freeze the versions I am developing with? I dont want to put to much in the requirements.txt, only what is needed for rebuilding the environment later.
Output pip:
...
pyjwt[crypto] in ..\site-packages (2.8.0)
cryptography>=3.4.0 in ..\site-packages (from pyjwt[crypto]) (41.0.4)
cffi>=1.12 in ..\site-packages (from cryptography>=3.4.0->pyjwt[crypto]) (1.16.0)
pycparser in ..\site-packages (from cffi>=1.12->cryptography>=3.4.0->pyjwt[crypto]) (2.21)
...
Output pip freeze:
...
cffi==1.16.0
cryptography==41.0.4
pycparser==2.21
PyJWT==2.8.0
...
Is it ok to put only PyJWT[crypto]==2.8.0 into requirements.txt?
When I put to much into requirements.txt I would make it harder to install additional packages in the future ... I think.
You can keep your requirements.txt flexible enough, and use a constraint files.
This constraint file is basically the output of pip freeze, and pins all versions, including their dependencies. If you need to add a dependency or upgrade, just do this in requirements.txt and regenerate the constraint file. That way, you are guaranteed to have consistent deployment.
Technically:
# Create the constraint file
pip freeze > constraint.txt
# use it:
pip install -c constraint.txt
Official doc: https://pip.pypa.io/en/stable/user_guide/#constraints-files