Will It Vibe?
DEP-006Medium severity-8 points

Unpinned Python requirements

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

requirements.txt declares packages with no version pins, so installs can silently drift between environments.

Why it matters

A requirements.txt with no == pins installs whatever version is newest on the day you run pip, so two installs a week apart can produce different environments. That is how a deploy breaks with no code change, when a transitive package ships something incompatible overnight. Pins make the install reproducible so production matches what you tested.

How to fix it

The quick fix is pip freeze > requirements.txt from a working environment, which pins everything currently installed. The better setup is pip-tools or uv: keep your direct dependencies with loose ranges in requirements.in (or pyproject.toml), then generate a fully pinned requirements.txt with pip-compile or uv pip compile, and regenerate it deliberately when you want upgrades. Either way, commit the pinned file and install from it in CI and production.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks