CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Python Packaging

Python Python 3.7+ Intermediate
debt(d7/e5/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7) — detection_hints.automated is 'no'; missing lock files or unpinned versions in requirements.txt aren't flagged by standard linters, only noticed when CI/prod installs drift or during review of pyproject.toml/requirements.txt.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5) — quick_fix says migrate to pyproject.toml replacing setup.py/setup.cfg, plus regenerate lock files and update CI; not a one-liner but contained to packaging config.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5) — applies_to web and cli contexts; the packaging choice shapes dependency workflows, CI, Docker images, and onboarding across the whole project but isn't quite system-defining.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap most devs eventually learn' (t5) — misconception that requirements.txt is the modern standard is widespread; it lacks lock semantics and dev/prod separation, a documented gotcha Python devs learn after being burned by non-reproducible installs.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

Poetry PDM pyproject.toml poetry.lock Python dependencies

TL;DR

pyproject.toml with Poetry or PDM replaces setup.py and requirements.txt — providing locked, reproducible, separated dev/prod dependencies like composer.lock.

Explanation

Modern Python packaging: pyproject.toml (PEP 517/518) replaces setup.py and setup.cfg. Poetry: pyproject.toml + poetry.lock, integrated virtual env management, publish to PyPI. PDM: PEP 582, fast resolver. Key commands: poetry add (install + update lock), poetry install (from lock file, deterministic), poetry install --only main (production — no dev deps). Lock files ensure reproducible installs across environments. Virtual environments isolate project dependencies. PHP analogy: Poetry is to Python as Composer is to PHP.

Common Misconception

requirements.txt is the modern way to manage Python dependencies — requirements.txt has no lock mechanism, cannot distinguish direct from transitive deps, and mixes dev and prod deps; pyproject.toml + Poetry is the modern standard.

Why It Matters

A requirements.txt without pinned versions produces different installs on different dates — poetry.lock ensures identical package versions across all developer machines, CI, and production, like composer.lock.

Common Mistakes

  • No lock file committed to git — non-deterministic installs across environments
  • pip install in production instead of poetry install --only main — installs dev tools
  • Not using virtual environments — global installs conflict between projects
  • Mixing pip and poetry in the same project — breaks lock file integrity

Code Examples

✗ Vulnerable 
# requirements.txt — no locking, no separation:
requests
flask
pytest    # Dev tool in production!
black     # Dev tool in production!
# Different versions installed on different days
✓ Fixed 
# pyproject.toml with Poetry:
[tool.poetry.dependencies]
python = '^3.11'
requests = '^2.31'
flask    = '^3.0'

[tool.poetry.group.dev.dependencies]
pytest = '^7.4'
black  = '^23.0'

# Commands:
# poetry install            # From lock file — deterministic
# poetry install --only main # Production: no dev deps
# poetry add requests       # Adds + updates poetry.lock
# git add pyproject.toml poetry.lock
Added 16 Mar 2026
Edited 22 Mar 2026
Views 49

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Google 6 Perplexity 5 Ahrefs 4 Scrapy 3 Unknown AI 2 Bing 2 ChatGPT 2 Claude 1 SEMrush 1 Meta AI 1 PetalBot 1
Also referenced
Context Managers & with Statement 51 Dependency Management Philosophy 51 CLI Tools with argparse & Click 38
How they use it
crawler 35 crawler_json 3
Related categories
general 3k python 1.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Use pyproject.toml (PEP 518) for all new Python packages — it replaces setup.py and setup.cfg; use uv or pip-tools for deterministic installs analogous to composer.lock
📦 Applies To
python 3.7 web cli
🔗 Prerequisites
🔍 Detection Hints
setup.py still used for new packages; no requirements.txt lock file; pip install without pinned versions in production
Auto-detectable: ✗ No pip uv poetry pyproject.toml
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: Medium Context: File
✓ schema.org compliant