I think it’s widely considered to be a good practice to pin your dependencies in a file like
poetry.lock, etc. The problem I’m having is it doesn’t seem possible to pin build dependencies.
For example, my project depends on
pyyaml which has no runtime dependencies but build dependencies on
cython. Regardless of whether I use
pipenv, none of these tools lock versions of these build dependencies even if I’m on a system where a pre-compiled wheel is not available and these build dependencies must be installed.
As a result, sometimes when new versions of transitive build dependencies of my project are released, installs of my project break despite my attempts to pin everything to working versions. This happened last night with a new version of
cython and has happened in the past with new versions of
setuptools. Is there a good way to pin down all transitive build dependencies of my project to avoid problems like this?
(There’s an additional problem of
pip not respecting flags like
--constraints when using PEP-517, although my project has a temporary workaround for that by using the
PIP_CONSTRAINT environments variable. See Enable again build isolation with proper pinning of build dependencies by adferrand · Pull Request #8443 · certbot/certbot · GitHub. )