| name | dependency-management |
| description | Automatically applies when managing Python dependencies. Ensures proper use of uv/Poetry, lock files, version constraints, conflict resolution, and dependency security. |
| category | python |
Dependency Management Patterns
When managing Python dependencies, follow these patterns for reproducible, secure environments.
Trigger Keywords: dependencies, uv, poetry, pip, requirements, lock file, dependency conflict, version pinning, pyproject.toml, pip-compile
Agent Integration: Used by backend-architect, devops-engineer, python-engineer
✅ Correct Pattern: Using uv
curl -LsSf https://astral.sh/uv/install.sh | sh
uv init myproject
cd myproject
uv add fastapi pydantic sqlalchemy
uv add --dev pytest pytest-cov black ruff mypy
uv add --optional docs sphinx
uv sync
uv sync --extra docs
uv lock --upgrade
uv sync
uv remove package-name
pyproject.toml with uv
[project]
name = "myproject"
version = "0.1.0"
description = "My Python project"
requires-python = ">=3.11"
dependencies = [
"fastapi>=0.109.0,<1.0.0",
"pydantic>=2.5.0,<3.0.0",
"sqlalchemy>=2.0.0,<3.0.0",
"httpx>=0.26.0,<1.0.0",
]
[project.optional-dependencies]
dev = [
"pytest>=7.4.0",
"pytest-cov>=4.1.0",
"pytest-asyncio>=0.23.0",
"black>=24.0.0",
"ruff>=0.1.0",
"mypy>=1.8.0",
]
docs = [
"sphinx>=7.2.0",
"sphinx-rtd-theme>=2.0.0",
]
[tool.uv]
dev-dependencies = [
"pytest>=7.4.0",
"black>=24.0.0",
]
Using Poetry
curl -sSL https://install.python-poetry.org | python3 -
poetry new myproject
cd myproject
poetry add fastapi pydantic sqlalchemy
poetry add --group dev pytest pytest-cov black ruff mypy
poetry add --optional sphinx
poetry add --optional sphinx-rtd-theme
poetry install
poetry install --extras docs
poetry update
poetry lock --no-update
poetry remove package-name
poetry show --tree
pyproject.toml with Poetry
[tool.poetry]
name = "myproject"
version = "0.1.0"
description = "My Python project"
authors = ["Your Name <you@example.com>"]
readme = "README.md"
packages = [{include = "myproject", from = "src"}]
[tool.poetry.dependencies]
python = "^3.11"
fastapi = "^0.109.0"
pydantic = "^2.5.0"
sqlalchemy = "^2.0.0"
httpx = "^0.26.0"
sphinx = {version = "^7.2.0", optional = true}
sphinx-rtd-theme = {version = "^2.0.0", optional = true}
[tool.poetry.group.dev.dependencies]
pytest = "^7.4.0"
pytest-cov = "^4.1.0"
pytest-asyncio = "^0.23.0"
black = "^24.0.0"
ruff = "^0.1.0"
mypy = "^1.8.0"
[tool.poetry.extras]
docs = ["sphinx", "sphinx-rtd-theme"]
[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"
Version Constraints
fastapi = "^0.109.0"
pytest = "~7.4.0"
black = "24.1.0"
httpx = ">=0.26.0"
sqlalchemy = "~=2.0.0"
pydantic = ">=2.5.0,<3.0.0"
requests = "2.*"
Lock Files
Dependency Conflict Resolution
uv lock
poetry lock
poetry show package-name
poetry update package-name
[tool.poetry.dependencies]
fastapi = "^0.109.0"
pydantic = "^2.5.0"
[tool.poetry.overrides]
"problematic-package" = "1.2.3"
Security Scanning
uv pip list --outdated
pip install pip-audit
pip-audit
pip install safety
safety check
poetry audit
Dependabot Configuration
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "username"
labels:
- "dependencies"
- "automated"
groups:
development-dependencies:
patterns:
- "pytest*"
- "black"
- "ruff"
- "mypy"
production-dependencies:
patterns:
- "fastapi"
- "pydantic"
- "sqlalchemy"
versioning-strategy: increase
CI/CD Integration
name: Dependency Check
on:
push:
branches: [main]
pull_request:
schedule:
- cron: "0 0 * * 0"
jobs:
check-dependencies:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"
- name: Install uv
run: curl -LsSf https://astral.sh/uv/install.sh | sh
- name: Install dependencies
run: uv sync
- name: Check for outdated packages
run: uv pip list --outdated
- name: Security audit
run: |
pip install pip-audit
pip-audit
- name: Check lock file
run: |
uv lock
git diff --exit-code uv.lock
Virtual Environment Management
uv venv
source .venv/bin/activate
poetry shell
poetry env info
poetry env list
poetry env remove python3.11
python -m venv .venv
source .venv/bin/activate
.venv\Scripts\activate
Exporting Dependencies
uv pip compile pyproject.toml -o requirements.txt
poetry export -f requirements.txt --output requirements.txt
poetry export -f requirements.txt --with dev --output requirements-dev.txt
poetry export -f requirements.txt --extras docs --output requirements-docs.txt
poetry export -f requirements.txt --without-hashes --output requirements.txt
Docker Integration
# Dockerfile with uv
FROM python:3.11-slim
WORKDIR /app
# Install uv
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
ENV PATH="/root/.cargo/bin:$PATH"
# Copy dependency files
COPY pyproject.toml uv.lock ./
# Install dependencies
RUN uv sync --frozen --no-dev
# Copy application
COPY . .
CMD ["python", "-m", "myproject"]
# Dockerfile with Poetry
FROM python:3.11-slim
WORKDIR /app
# Install Poetry
RUN pip install poetry==1.7.1
# Configure Poetry
ENV POETRY_NO_INTERACTION=1 \
POETRY_VIRTUALENVS_IN_PROJECT=1 \
POETRY_VIRTUALENVS_CREATE=1 \
POETRY_CACHE_DIR=/tmp/poetry_cache
# Copy dependency files
COPY pyproject.toml poetry.lock ./
# Install dependencies
RUN poetry install --without dev --no-root && rm -rf $POETRY_CACHE_DIR
# Copy application
COPY . .
# Install project
RUN poetry install --without dev
CMD ["poetry", "run", "python", "-m", "myproject"]
❌ Anti-Patterns
git add uv.lock
dependencies = ["fastapi"]
dependencies = ["fastapi>=0.109.0,<1.0.0"]
pip freeze > requirements.txt
git add .venv/
.venv/
venv/
*.pyc
dependencies = ["fastapi", "pytest", "black"]
[project]
dependencies = ["fastapi"]
[project.optional-dependencies]
dev = ["pytest", "black"]
pip-audit
poetry audit
Best Practices Checklist
- ✅ Use uv or Poetry for dependency management
- ✅ Commit lock files (uv.lock, poetry.lock)
- ✅ Use version constraints, not exact pins
- ✅ Separate dev dependencies from production
- ✅ Run security audits regularly
- ✅ Use Dependabot for automatic updates
- ✅ Don't commit virtual environments
- ✅ Export requirements.txt for Docker
- ✅ Pin Python version requirement
- ✅ Document dependency installation
- ✅ Test dependency updates before merging
- ✅ Use dependency groups for organization
Auto-Apply
When managing dependencies:
- Use uv or Poetry (not plain pip)
- Define dependencies in pyproject.toml
- Generate and commit lock file
- Use version constraints (^, ~, >=)
- Separate dev/docs dependencies
- Run security audits (pip-audit)
- Set up Dependabot
- Test updates in CI before merging
Related Skills
python-packaging - For package configuration
git-workflow-standards - For version control
monitoring-alerting - For dependency monitoring