requirements.txt: A Deep Dive into Python's Pipfile and PipenvFor decades, the humble requirements.txt file has been the cornerstone of Python dependency management. It’s simple, ubiquitous, and gets the job done. However, as Python projects grow from simple scripts to complex applications, the limitations of requirements.txt become painfully apparent: lack of environment separation, global installation conflicts, and ambiguity between top-level and sub-dependencies.
Enter Pipenv and its declarative companion, the Pipfile.
Pipenv was officially recommended by the Python Packaging Authority (PyPA) as the "tool for managing project dependencies." At its heart lies the Pipfile, a modern, TOML-based replacement for the venerable requirements.txt.
This article explores everything you need to know about the Pipfile: what it is, why it matters, its anatomy, how it compares to alternatives, and a practical workflow to integrate it into your next Python project.
[[source]]The double brackets denote a list of tables. This tells Pipenv where to fetch packages from. By default, it points to PyPI. You can add multiple sources, which is essential for organizations using private PyPI servers (like Artifactory or Gemfury). Pipfile
[[source]] url = "https://my-private-pypi.com/simple" verify_ssl = true name = "private"
[[source]] url = "https://pypi.org/simple" verify_ssl = true name = "pypi"
PipfileInstallation: Ensure pip-tools is installed.
pip install pip-tools
Create Pipfile: Run pipenv --three (for Python 3) or specify the Python version you want to use. Beyond requirements
Edit Pipfile: Open the generated Pipfile and add your dependencies.
Install Dependencies: Run pipenv sync.
Lock Dependencies: Use pipenv lock to generate a Pipfile.lock which ensures reproducible installations.
Pipfile?In simple terms, a Pipfile is a configuration file that lists your project's dependencies. It replaces requirements.txt and requirements.dev.txt (or similar patterns) by merging them into a single, structured file. [[source]]
The double brackets denote a list of tables
Unlike a plain text requirements.txt, a Pipfile is written in TOML (Tom's Obvious, Minimal Language), a human-readable format that also allows for structured data. This structure allows it to do two crucial things that requirements.txt cannot:
[packages] (for production) and [dev-packages] (for testing/linting/docs) sections.requests), but also the source index (PyPI, a private repo) and Python version requirements.Alongside the Pipfile, Pipenv generates a Pipfile.lock. This lock file is the critical counterpart: it pins every single package to an exact, hash-verified version. The Pipfile says "I want Django >= 3.2," while the Pipfile.lock says "We are using Django 4.1.7, its hash is XYZ, and it requires asgiref 3.6.0."
pipenv install --dev
Creates an isolated virtual environment and installs exact versions from Pipfile.lock.
pyproject.toml vs. PipfileYou might be wondering: "Isn't pyproject.toml the new standard?" Yes. PEP 621 now standardizes dependencies within pyproject.toml. Tools like Poetry, Flit, and PDM already use pyproject.toml natively.
Where does this leave Pipfile? There is active discussion about Pipenv migrating to read/write pyproject.toml directly. In fact, Pipenv can now read a [project] table from pyproject.toml.
Recommendation:
pip semantics: Use pip-tools and requirements.txt.Pipfile is still robust and secure. Don't feel pressured to migrate unless you need specific PEP 621 features.