Pip tools is my current recommendation. You create requirements, dot i n, and you put the things you would have pip installed yourself. And then when you run the command that you talked about, it'll create the requirements dot t x t with the clos of all of the dependencies - showing why they're in there. It pins the versions of all of em. So if forsay, it drops its dangerous requirement, and you rear on this again, like that, it'll come out of your t x defile entirely.