Limitations of requirements.txt files

Many projects may define one or more requirements.txt files, and may arrange them either at the project root (e.g. requirements.txt and test-requirements.txt) or else in a directory (e.g. requirements/base.txt and requirements/test.txt). However, there are major issues with the use of requirements files in this way:

• There is no standardized naming convention such that tools can discover or use these files by name.
• requirements.txt files are not standardized, but instead provide options to pip.

As a result, it is difficult to define tool behaviors based on requirements.txt files. They are not trivial to discover or identify by name, and their contents may contain a mix of package specifiers and additional pip options.

The lack of a standard for requirements.txt contents also means they are not portable to any alternative tools which wish to process them other than pip.

Additionally, requirements.txt files require a file per dependency list. For some use-cases, this makes the marginal cost of dependency groupings high, relative to their benefit. A terser declaration is beneficial to projects with a number of small groups of dependencies.

In contrast with this, Dependency Groups are defined at a well known location in pyproject.toml with fully standardized contents. Not only will they have immediate utility, but they will also serve as a starting point for future standards.

Limitations of extras

extras are additional package metadata declared in the [project.optional-dependencies] table. They provide names for lists of package specifiers which are published as part of a package’s metadata, and which a user can request under that name, as in pip install 'foo[bar]' to install foo with the bar extra.

Because extras are package metadata, they are not guaranteed to be statically defined and may require a build system to resolve. Furthermore, definition of a [project.optional-dependencies] indicates to many tools that a project is a package, and may drive tool behaviors such as validation of the [project] table.

For projects which are packages, extras are a common solution for defining development dependencies, but even under these circumstances they have downsides:

• Because an extra defines optional additional dependencies, it is not possible to install an extra without installing the current package and its dependencies.
• Because they are user-installable, extras are part of the public interface for packages. Because extras are published, package developers often are concerned about ensuring that their development extras are not confused with user-facing extras.

Use Cases

The following use cases are considered important targets for this PEP. They are defined in greater detail in the Use Cases Appendix.

• Web Applications deployed via a non-python-packaging build process
• Libraries with unpublished dev dependency groups
• Data science projects with groups of dependencies but no core package
• Input data to lockfile generation (Dependency Groups should generally not be used as a location for locked dependency data)
• Input data to an environment manager, such as tox, Nox, or Hatch
• Configurable IDE discovery of test and linter requirements

Regarding Poetry and PDM Dependency Groups

The existing Poetry and PDM tools already offer a feature which each calls “Dependency Groups”. However, absent any standard for specifying collections of dependencies, each tool defines these in a tool-specific way, in the relevant sections of the [tool] table.

(PDM also uses extras for some Dependency Groups, and overlaps the notion heavily with extras.)

This PEP does not support all of the features of Poetry and PDM, which, like requirements.txt files for pip, support several non-standard extensions to common dependency specifiers.

It should be possible for such tools to use standardized Dependency Groups as extensions of their own Dependency Group mechanisms. However, defining a new data format which replaces the existing Poetry and PDM solutions is a non-goal. Doing so would require standardizing several additional features, such as path dependencies, which are supported by these tools.

Dependency Groups are not Hidden Extras

Dependency Groups are very similar to extras which go unpublished. However, there are two major features which distinguish them from extras further:

• they support non-package projects
• installation of a Dependency Group does not imply installation of a package’s dependencies (or the package itself)

Future Compatibility & Invalid Data

Dependency Groups are intended to be extensible in future PEPs. However, Dependency Groups should also be usable by multiple tools in a single Python project. With multiple tools using the same data, it is possible that one implements a future PEP which extends Dependency Groups, while another does not.

To support users in this case, this PEP defines and recommends validation behaviors in which tools only examine Dependency Groups which they are using. This allows multiple tools, using different versions of Dependency Groups data, to share a single table in pyproject.toml.

Dependency Object Specifiers

Dependency Object Specifiers are tables which define zero or more dependencies.

This PEP standardizes only one type of Dependency Object Specifier, a “Dependency Group Include”. Other types may be added in future standards.

[dependency-groups]
group-a = ["foo"]
group-b = ["foo>1.0"]
group-c = ["foo<1.0"]
all = ["foo", {include-group = "group-a"}, {include-group = "group-b"}, {include-group = "group-c"}]

Example Dependency Groups Table

The following is an example of a partial pyproject.toml which uses this to define four Dependency Groups: test, docs, typing, and typing-test:

[dependency-groups]
test = ["pytest", "coverage"]
docs = ["sphinx", "sphinx-rtd-theme"]
typing = ["mypy", "types-requests"]
typing-test = [{include-group = "typing"}, {include-group = "test"}, "useful-types"]

Note that none of these Dependency Group declarations implicitly install the current package, its dependencies, or any optional dependencies. Use of a Dependency Group like test to test a package requires that the user’s configuration or toolchain also installs the current package (.). For example,

$TOOL install-dependency-group test
pip install -e .

could be used (supposing $TOOL is a tool which supports installing Dependency Groups) to build a testing environment.

This also allows for the docs dependency group to be used without installing the project as a package:

$TOOL install-dependency-group docs

Package Building

Build backends MUST NOT include Dependency Group data in built distributions as package metadata. This means that PKG-INFO in sdists and METADATA in wheels do not include any referencable fields containing Dependency Groups.

It is valid to use Dependency Groups in the evaluation of dynamic metadata, and pyproject.toml files included in sdists will naturally still contain the [dependency-groups] table. However, the table contents are not part of a published package’s interfaces.

Installing Dependency Groups

Tools which support Dependency Groups are expected to provide new options and interfaces to allow users to install from Dependency Groups.

No syntax is defined for expressing the Dependency Group of a package, for two reasons:

• it would not be valid to refer to the Dependency Groups of a third-party package from PyPI (because the data is defined to be unpublished)
• there is not guaranteed to be a current package for Dependency Groups – part of their purpose is to support non-package projects

For example, a possible pip interface for installing Dependency Groups would be:

pip install --dependency-groups=test,typing

Note that this is only an example. This PEP does not declare any requirements for how tools support the installation of Dependency Groups.

Validation and Compatibility

Tools supporting Dependency Groups may want to validate data before using it. However, tools implementing such validation behavior should be careful to allow for future expansions to this spec, so that they do not unnecessarily emit errors or warnings in the presence of new syntax.

Tools SHOULD error when evaluating or processing unrecognized data in Dependency Groups.

Tools SHOULD NOT eagerly validate the list contents of all Dependency Groups.

This means that in the presence of the following data, most tools will allow the foo group to be used, and will only error when the bar group is used:

[dependency-groups]
foo = ["pyparsing"]
bar = [{set-phasers-to = "stun"}]

Audit and Update Tools

A wide range of tools understand Python dependency data as expressed in requirements.txt files. (e.g., Dependabot, Tidelift, etc)

Such tools inspect dependency data and, in some cases, offer tool-assisted or fully automated updates. It is our expectation that no such tools would support the new Dependency Groups at first, and broad ecosystem support could take many months or even some number of years to arrive.

As a result, users of Dependency Groups would experience a degradation in their workflows and tool support at the time that they start using Dependency Groups. This is true of any new standard for where and how dependency data are encoded.

Interfaces for Use of Dependency Groups

This specification provides no universal interface for interacting with Dependency Groups, other than inclusion in a built package via the project table. This has implications both for tool authors and for users.

Tool authors should determine how or if Dependency Groups are relevant to their user stories, and build their own interfaces to fit. For environment managers, resolvers, installers, and related non-build tools, they will be able to document that they support “PEP 735 Dependency Groups”, but they will be responsible for documenting their usage modes. For build backends, supporting Dependency Groups will require support for inclusion from the project table, but set no other strict requirements.

For users, the primary consequence is that they must consult relevant tool documentation whenever they wish to use Dependency Groups outside of package builds. Users should be advised by tools, either through documentation or runtime warnings or errors, about usages which are disrecommended or not supported. For example, if a tool wishes to require that all Dependency Groups are mutually compatible, containing no contradictory package specifiers, it should document that restriction and advise users on how to appropriately leverage Dependency Groups for its purposes.

Why not define each Dependency Group as a table?

If our goal is to allow for future expansion, then defining each Dependency Group as a subtable, thus enabling us to attach future keys to each group, allows for the greatest future flexibility.

However, it also makes the structure nested more deeply, and therefore harder to teach and learn. One of the goals of this PEP is to be an easy replacement for many requirements.txt use-cases.

Why not define a special string syntax to extend Dependency Specifiers?

Earlier drafts of this specification defined syntactic forms for Dependency Group Includes and Path Dependencies.

However, there were three major issues with this approach:

• it complicates the string syntax which must be taught, beyond PEP 508
• the resulting strings would always need to be disambiguated from PEP 508 specifiers, complicating implementations

Why not allow for more non-PEP 508 dependency specifiers?

Several use cases surfaced during discussion which need more expressive specifiers than are possible with PEP 508.

“Path Dependencies”, referring to local paths, and references to [project.dependencies] were of particular interest.

However, there are no existing standards for these features (excepting the de-facto standard of pip’s implementation details).

As a result, attempting to include these features in this PEP results in a significant growth in scope, to attempt to standardize these various features and pip behaviors.

Special attention was devoted to attempting to standardize the expression of editable installations, as expressed by pip install -e and PEP 660. However, although the creation of editable installs is standardized for build backends, the behavior of editables is not standardized for installers. Inclusion of editables in this PEP requires that any supporting tool allows for the installation of editables.

Therefore, although Poetry and PDM provide syntaxes for some of these features, they are considered insufficiently standardized at present for inclusion in Dependency Groups.

Why is the table not named [run], [project.dependency-groups], …?

There are many possible names for this concept. It will have to live alongside the already existing [project.dependencies] and [project.optional-dependencies] tables, and possibly a new [external] dependency table as well (at time of writing, PEP 725, which defines the [external] table, is in progress).

[run] was a leading proposal in earlier discussions, but its proposed usage centered around a single set of runtime dependencies. This PEP explicitly outlines multiple groups of dependencies, which makes [run] a less appropriate fit – this is not just dependency data for a specific runtime context, but for multiple contexts.

[project.dependency-groups] would offer a nice parallel with [project.dependencies] and [project.optional-dependencies], but has major downsides for non-package projects. [project] requires several keys to be defined, such as name and version. Using this name would either require redefining the [project] table to allow for these keys to be absent, or else would impose a requirement on non-package projects to define and use these keys. By extension, it would effectively require any non-package project allow itself to be treated as a package.

Why is pip’s planned implementation of --only-deps not sufficient?

pip currently has a feature on the roadmap to add an –only-deps flag. This flag is intended to allow users to install package dependencies and extras without installing the current package.

It does not address the needs of non-package projects, nor does it allow for the installation of an extra without the package dependencies.

Why isn’t <environment manager> a solution?

Existing environment managers like tox, Nox, and Hatch already have the ability to list inlined dependencies as part of their configuration data. This meets many development dependency needs, and clearly associates dependency groups with relevant tasks which can be run. These mechanisms are good but they are not sufficient.

First, they do not address the needs of non-package projects.

Second, there is no standard for other tools to use to access these data. This has impacts on high-level tools like IDEs and Dependabot, which cannot support deep integration with these Dependency Groups. (For example, at time of writing Dependabot will not flag dependencies which are pinned in tox.ini files.)

Why not support Dependency Group Includes in [project.dependencies] or [project.optional-dependencies]?

Earlier drafts of this specification allowed Dependency Group Includes to be used in the [project] table. However, there were several issues raised during community feedback which led to its removal.

Only a small number of additional use cases would be addressed by the inclusion of Dependency Groups, and it increased the scope of the specification significantly. In particular, this inclusion would increase the number of parties impacted by the addition. Many readers of the [project] table, including build backends, SBOM generators, and dependency analyzers are implicated by a change to [project] but may continue to operate as-is in the presence of a new (but unconnected) [dependency-groups] table.

Separately from the above concern, allowing inclusion of dependency groups from the [project] table encourages package maintainers to move dependency metadata out of the current standard location. This complicates static pyproject.toml metadata and conflicts with the goal of PEP 621 to store dependency metadata in a single location.

Finally, exclusion of [project] support from this PEP is not final. The use of includes from that table, or an inclusion syntax from [dependency-groups] into [project], could be introduced by a future PEP and considered on its own merits.

[project]
dependencies = [{include = "runtime"}]
[optional-dependencies]
foo = [{include = "foo"}]
[dependency-groups]
runtime = ["a", "b"]
foo = ["c", "d"]
typing = ["mypy", {include = "runtime"}, {include = "foo"}]

Why not support Dependency Group Includes in [build-system.requires]?

Given that we will not allow for [project] usage of Dependency Groups, [build-system.requires] can be considered in comparison with [project.dependencies].

There are fewer theoretical usages for build requirements specified in a group than package requirements. Additionally, the impact of such a change implicates PEP 517 frontend, which would need to support Dependency Groups in order to prepare a build environment.

Compared with changes to [project.dependencies] and [project.optional-dependencies], changing the behaviors of [build-system.requires] is higher impact and has fewer potential uses. Therefore, given that this PEP declines to make changes to the [project] table, changing [build-system] is also deferred.

Why not support a Dependency Group which includes the current project?

Several usage scenarios for dependency groups revolve around installing a dependency group alongside a package defined in the [project] table. For example, testing a package involves installing testing dependencies and the package itself. Additionally, the compatibility of a dependency group with the main package is a valuable input to lockfile generators.

In such cases, it is desirable for a Dependency Group to declare that it depends upon the project itself. Example syntaxes from discussions included {include-project = true} and {include-group = ":project:"}.

However, if a specification is established to extend PEP 508 with Path Dependencies, this would result in Dependency Groups having two ways of specifying the main package. For example, if . becomes formally supported, and {include-project = true} is included in this PEP, then dependency groups may specify any of the following groups

[dependency-groups]
case1 = [{include-project = true}]
case2 = ["."]
case3 = [{include-project = true}, "."]
case4 = [{include-project = false}, "."]

In order to avoid a confusing future in which multiple different options specify the package defined in pyproject.toml, any syntax for declaring this relationship is omitted from this PEP.

JavaScript and package.json

In the JavaScript community, packages contain a canonical configuration and data file, similar in scope to pyproject.toml, at package.json.

Two keys in package.json control dependency data: "dependencies" and "devDependencies". The role of "dependencies" is effectively the same as that of [project.dependencies] in pyproject.toml, declaring the direct dependencies of a package.

{
    "dependencies": {
        "@angular/compiler": "^17.0.2",
        "camelcase": "8.0.0",
        "diff": ">=5.1.0 <6.0.0"
    }
}

{
    "dependencies": {
        "my-package": "file:../foo"
    }
}

{
    "peerDependencies": {
        "foo": "2.x"
    }
}

{
    "peerDependencies": {
        "foo": "2.x"
    },
    "peerDependenciesMeta": {
        "foo": {
            "optional": true
        }
    }
}

Ruby & Ruby Gems

Ruby projects may or may not be intended to produce packages (“gems”) in the Ruby ecosystem. In fact, the expectation is that most users of the language do not want to produce gems and have no interest in producing their own packages. Many tutorials do not touch on how to produce packages, and the toolchain never requires user code to be packaged for supported use-cases.

Ruby splits requirement specification into two separate files.

• Gemfile: a dedicated file which only supports requirement data in the form of dependency groups
• <package>.gemspec: a dedicated file for declaring package (gem) metadata

The bundler tool, providing the bundle command, is the primary interface for using Gemfile data.

The gem tool is responsible for building gems from .gemspec data, via the gem build command.

source 'https://rubygems.org'

gem 'rails'

group :test do
  gem 'rspec'
end

group :lint do
  gem 'rubocop'
end

group :docs do
  gem 'kramdown'
  gem 'nokogiri'
end

version = '7.1.2'

Gem::Specification.new do |s|
  s.platform    = Gem::Platform::RUBY
  s.name        = "rails"
  s.version     = version
  s.summary     = "Full-stack web application framework."

  s.license = "MIT"
  s.author   = "David Heinemeier Hansson"

  s.files = ["README.md", "MIT-LICENSE"]

  # shortened from the real 'rails' project
  s.add_dependency "activesupport", version
  s.add_dependency "activerecord",  version
  s.add_dependency "actionmailer",  version
  s.add_dependency "activestorage", version
  s.add_dependency "railties",      version
end

s.add_dependency "rexml"
s.add_development_dependency 'minitest', '~> 5.0'
s.add_development_dependency 'rouge', '~> 3.0', '>= 3.26.0'
s.add_development_dependency 'stringex', '~> 1.5.1'

Gem::Specification.new do |s|
  s.author = 'Stephen Rosen'
  s.name = 'cool-gem'
  s.version = '0.0.1'
  s.summary = 'A very cool gem that does cool stuff'
  s.license = 'MIT'

  s.files = []

  s.add_dependency 'rails'
  s.add_development_dependency 'kramdown'
end

source 'https://rubygems.org'

gemspec

gem 'cool-gem', :path => '.'

group :development do
  gem 'kramdown'
end

Projects are Packages

Both PDM and Poetry treat the projects they support as packages. This allows them to use and interact with standard pyproject.toml metadata for some of their needs, and allows them to support installation of the “current project” by doing a build and install using their build backends.

Effectively, this means that neither Poetry nor PDM supports non-package projects.

Non-Standard Dependency Specifiers

PDM and Poetry extend PEP 508 dependency specifiers with additional features which are not part of any shared standard. The two tools use slightly different approaches to these problems, however.

PDM supports specifying local paths, and editable installs, via a syntax which looks like a set of arguments to pip install. For example, the following dependency group includes a local package in editable mode:

[tool.pdm.dev-dependencies]
mygroup = ["-e file:///${PROJECT_ROOT}/foo"]

This declares a dependency group mygroup which includes a local editable install from the foo directory.

Poetry describes dependency groups as tables, mapping package names to specifiers. For example, the same configuration as the above mygroup example might appear as follows under Poetry:

[tool.poetry.group.mygroup]
foo = { path = "foo", editable = true }

PDM restricts itself to a string syntax, and Poetry introduces tables which describe dependencies.

Installing and Referring to Dependency Groups

Both PDM and Poetry have tool-specific support for installing dependency groups. Because both projects support their own lockfile formats, they also both have the capability to transparently use a dependency group name to refer to the locked dependency data for that group.

However, neither tool’s dependency groups can be referenced natively from other tools like tox, nox, or pip. Attempting to install a dependency group under tox, for example, requires an explicit call to PDM or Poetry to parse their dependency data and do the relevant installation step.

Web Applications

A web application (e.g. a Django or Flask app) often does not need to build a distribution, but bundles and ships its source to a deployment toolchain.

For example, a source code repository may define Python packaging metadata as well as containerization or other build pipeline metadata (Dockerfile, etc). The Python application is built by copying the entire repository into a build context, installing dependencies, and bundling the result as a machine image or container.

Such applications have dependency groups for the build, but also for linting, testing, etc. In practice, today, these applications often define themselves as packages to be able to use packaging tools and mechanisms like extras to manage their dependency groups. However, they are not conceptually packages, meant for distribution in sdist or wheel format.

Dependency Groups allow these applications to define their various dependencies without relying on packaging metadata, and without trying to express their needs in packaging terms.

Libraries

Libraries are Python packages which build distributions (sdist and wheel) and publish them to PyPI.

For libraries, Dependency Groups represent an alternative to extras for defining groups of development dependencies, with the important advantages noted above.

A library may define groups for test and typing which allow testing and type-checking, and therefore rely on the library’s own dependencies (as specified in [project.dependencies]).

Other development needs may not require installation of the package at all. For example, a lint Dependency Group may be valid and faster to install without the library, as it only installs tools like black, ruff, or flake8.

lint and test environments may also be valuable locations to hook in IDE or editor support. See the case below for a fuller description of such usage.

Here’s an example Dependency Groups table which might be suitable for a library:

[dependency-groups]
test = ["pytest<8", "coverage"]
typing = ["mypy==1.7.1", "types-requests"]
lint = ["black", "flake8"]
typing-test = [{include-group = "typing"}, "pytest<8"]

Note that none of these implicitly install the library itself. It is therefore the responsibility of any environment management toolchain to install the appropriate Dependency Groups along with the library when needed, as in the case of test.

Data Science Projects

Data Science Projects typically take the form of a logical collection of scripts and utilities for processing and analyzing data, using a common toolchain. Components may be defined in the Jupyter Notebook format (ipynb), but rely on the same common core set of utilities.

In such a project, there is no package to build or install. Therefore, pyproject.toml currently does not offer any solution for dependency management or declaration.

It is valuable for such a project to be able to define at least one major grouping of dependencies. For example:

[dependency-groups]
main = ["numpy", "pandas", "matplotlib"]

However, it may also be necessary for various scripts to have additional supporting tools. Projects may even have conflicting or incompatible tools or tool versions for different components, as they evolve over time.

Consider the following more elaborate configuration:

[dependency-groups]
main = ["numpy", "pandas", "matplotlib"]
scikit = [{include-group = "main"}, "scikit-learn==1.3.2"]
scikit-old = [{include-group = "main"}, "scikit-learn==0.24.2"]

This defines scikit and scikit-old as two similar variants of the common suite of dependencies, pulling in different versions of scikit-learn to suit different scripts.

This PEP only defines these data. It does not formalize any mechanism for a Data Science Project (or any other type of project) to install the dependencies into known environments or associate those environments with the various scripts. Such combinations of data are left as a problem for tool authors to solve, and perhaps eventually standardize.

Lockfile Generation

There are a number of tools which generate lockfiles in the Python ecosystem today. PDM and Poetry each use their own lockfile formats, and pip-tools generates requirements.txt files with version pins and hashes.

Dependency Groups are not an appropriate place to store lockfiles, as they lack many of the necessary features. Most notably, they cannot store hashes, which most lockfile users consider essential.

However, Dependency Groups are a valid input to tools which generate lockfiles. Furthermore, PDM and Poetry both allow a Dependency Group name (under their notions of Dependency Groups) to be used to refer to its locked variant.

Therefore, consider a tool which produces lockfiles, here called $TOOL. It might be used as follows:

$TOOL lock --dependency-group=test
$TOOL install --dependency-group=test --use-locked

All that such a tool needs to do is to ensure that its lockfile data records the name test in order to support such usage.

The mutual compatibility of Dependency Groups is not guaranteed. For example, the Data Science example above shows conflicting versions of scikit-learn. Therefore, installing multiple locked dependency groups in tandem may require that tools apply additional constraints or generate additional lockfile data. These problems are considered out of scope for this PEP.

As two examples of how combinations might be locked:

• A tool might require that lockfile data be explicitly generated for any combination to be considered valid
• Poetry implements the requirement that all Dependency Groups be mutually compatible, and generates only one locked version. (Meaning it finds a single solution, rather than a set or matrix of solutions.)

Environment Manager Inputs

A common usage in tox, Nox, and Hatch is to install a set of dependencies into a testing environment.

For example, under tox.ini, type checking dependencies may be defined inline:

[testenv:typing]
deps =
    pyright
    useful-types
commands = pyright src/

This combination provides a desirable developer experience within a limited context. Under the relevant environment manager, the dependencies which are needed for the test environment are declared alongside the commands which need those dependencies. They are not published in package metadata, as extras would be, and they are discoverable for the tool which needs them to build the relevant environment.

Dependency Groups apply to such usages by effectively “lifting” these requirements data from a tool-specific location into a more broadly available one. In the example above, only tox has access to the declared list of dependencies. Under an implementation supporting dependency groups, the same data might be available in a Dependency Group:

[dependency-groups]
typing = ["pyright", "useful-types"]

The data can then be used under multiple tools. For example, tox might implement support as dependency_groups = typing, replacing the deps usage above.

In order for Dependency Groups to be a viable alternative for users of environment managers, the environment managers will need to support processing Dependency Groups similarly to how they support inline dependency declaration.

IDE and Editor Use of Requirements Data

IDE and editor integrations may benefit from conventional or configurable name definitions for Dependency Groups which are used for integrations.

There are at least two known scenarios in which it is valuable for an editor or IDE to be capable of discovering the non-published dependencies of a project:

• testing: IDEs such as VS Code support GUI interfaces for running particular tests
• linting: editors and IDEs often support linting and autoformatting integrations which highlight or autocorrect errors

These cases could be handled by defining conventional group names like test, lint, and fix, or by defining configuration mechanisms which allow the selection of Dependency Groups.

For example, the following pyproject.toml declares the three aforementioned groups:

[dependency-groups]
test = ["pytest", "pytest-timeout"]
lint = ["flake8", "mypy"]
fix = ["black", "isort", "pyupgrade"]

This PEP makes no attempt to standardize such names or reserve them for such uses. IDEs may standardize or may allow users to configure the group names used for various purposes.

This declaration allows the project author’s knowledge of the appropriate tools for the project to be shared with all editors of that project.