DP001: NoPinnedDependencies
Overview
| Property | Value |
|---|---|
| ID | DP001 |
| Name | NoPinnedDependencies |
| Group | dependencies |
| Severity | WARNING |
Description
Checks that dependencies aren’t overly pinned with exact versions.
Exact version pins like requests==2.28.0 can cause:
- Dependency conflicts with other packages
- Security issues when not updated
- Difficult upgrades
What it checks
The check scans pyproject.toml dependencies for exact pins:
# BAD - exact pins
dependencies = [
"requests==2.28.0",
"numpy==1.24.0",
]
# GOOD - flexible versions
dependencies = [
"requests>=2.28.0",
"numpy>=1.24.0,<2",
]How to fix
Use flexible version specifiers:
| Specifier | Meaning |
|---|---|
>=2.28.0 |
Version 2.28.0 or higher |
>=2.28,<3 |
Version 2.28+ but not 3.x |
~=2.28 |
Compatible release (~= 2.28.0) |
>=2.28,!=2.29.0 |
Exclude specific version |
Example fix
[project]
dependencies = [
"requests>=2.28.0", # Instead of requests==2.28.0
"numpy>=1.24.0,<2", # Allow 1.x updates
"rich>=13.0.0",
]When exact pins are appropriate
- Lockfiles - Use uv.lock or poetry.lock for reproducible builds
- Known incompatibilities - Pin when specific versions break
- Security fixes - Pin minimum version with known fix
Configuration
Skip this check
[tool.pycmdcheck]
skip = ["DP001"]CLI
pycmdcheck --skip DP001