CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Python Packaging

python Python 3.7+ Intermediate

Also Known As

Poetry PDM pyproject.toml poetry.lock Python dependencies

TL;DR

pyproject.toml with Poetry or PDM replaces setup.py and requirements.txt — providing locked, reproducible, separated dev/prod dependencies like composer.lock.

Explanation

Modern Python packaging: pyproject.toml (PEP 517/518) replaces setup.py and setup.cfg. Poetry: pyproject.toml + poetry.lock, integrated virtual env management, publish to PyPI. PDM: PEP 582, fast resolver. Key commands: poetry add (install + update lock), poetry install (from lock file, deterministic), poetry install --only main (production — no dev deps). Lock files ensure reproducible installs across environments. Virtual environments isolate project dependencies. PHP analogy: Poetry is to Python as Composer is to PHP.

Common Misconception

requirements.txt is the modern way to manage Python dependencies — requirements.txt has no lock mechanism, cannot distinguish direct from transitive deps, and mixes dev and prod deps; pyproject.toml + Poetry is the modern standard.

Why It Matters

A requirements.txt without pinned versions produces different installs on different dates — poetry.lock ensures identical package versions across all developer machines, CI, and production, like composer.lock.

Common Mistakes

  • No lock file committed to git — non-deterministic installs across environments
  • pip install in production instead of poetry install --only main — installs dev tools
  • Not using virtual environments — global installs conflict between projects
  • Mixing pip and poetry in the same project — breaks lock file integrity

Code Examples

✗ Vulnerable 
# requirements.txt — no locking, no separation:
requests
flask
pytest    # Dev tool in production!
black     # Dev tool in production!
# Different versions installed on different days
✓ Fixed 
# pyproject.toml with Poetry:
[tool.poetry.dependencies]
python = '^3.11'
requests = '^2.31'
flask    = '^3.0'

[tool.poetry.group.dev.dependencies]
pytest = '^7.4'
black  = '^23.0'

# Commands:
# poetry install            # From lock file — deterministic
# poetry install --only main # Production: no dev deps
# poetry add requests       # Adds + updates poetry.lock
# git add pyproject.toml poetry.lock
Added 16 Mar 2026
Edited 22 Mar 2026
Views 29

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S
Agents 0
No pings yet today
Amazonbot 1
Amazonbot 10 Perplexity 5 Google 5 Ahrefs 2 Unknown AI 2
Also referenced
Context Managers & with Statement 23 Dependency Management Philosophy 23 CLI Tools with argparse & Click 21
How they use it
crawler 23 crawler_json 1
Related categories
general 1.5k python 715
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Use pyproject.toml (PEP 518) for all new Python packages — it replaces setup.py and setup.cfg; use uv or pip-tools for deterministic installs analogous to composer.lock
📦 Applies To
python 3.7 web cli
🔗 Prerequisites
🔍 Detection Hints
setup.py still used for new packages; no requirements.txt lock file; pip install without pinned versions in production
Auto-detectable: ✗ No pip uv poetry pyproject.toml
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: Medium Context: File
✓ schema.org compliant