Pip-compile
Internal
Overview
You want to be able to lock down the versions of all of the packages that your Python code depends on in your requirements.txt file. You want this file to include versions for not just the direct dependencies that your code imports directly, but also versions for all of the transitive dependencies as well...that is, the versions of modules that your directly dependent modules themselves depend on.
So the question is...how do you maintain the contents of "requirements.txt"? You can use pip freeze > requirements.txt, but this is messy. It depends not on a clear list of what the direct dependencies of your app are, but rather on what happens to be in your environment at the time of creation. What you really want is to have a file in which you list the direct dependencies of your app, along with versions for each of them, and then somehow produce the appropriate requirements.txt file from that list such that it contains exactly versions for those direct dependencies as well as versions for just the transitive dependencies needed by those direct dependencies.
The requirements.in file and pip-compile together give you this desired behavior. In requirements.in, you list just the direct dependencies of your app. Then you run pip-compile on that file to produce requirements.txt. The compile process will produce what you want...a file that contains both the modules listed in requirements.in and the transitive dependencies of those modules.