Skip to main content

To pin or not to pin dependencies: reproducible vs. reusable software

We recently had a very interesting conversation in our lab about how to describe software dependencies (libraries one needs to install) for a software project in the context of research. One camp was proposing explicitly listing which version of a dependency is required (a scheme also referred to "pinning") and the other camp was more in favor of either not specifying version at all or specifying the minimal required version. Luckily both camps agreed on the importance of specifying dependencies, but what's the big deal about pinning vs not pinning?

Advantages of pinning dependencies

When you pin a dependency (for example by saying "numpy==1.1.3") you explicitly point to a version of a library that a) you know works with your script b) was used to generate the result you present in your paper. This is very useful for people trying to replicate your results using your code as well as yourself attempting to revisit a project that was put aside for a while (for example when reviewers come back after 3 months). By knowing which versions of libraries worked last time and generated the results in question one can quickly run and modify the code.

Advantages of not pinning dependencies

On the other side when you opt not to pin dependencies (for example by specifying "numpy" or "numpy>=1.1.3") you provide fewer constraints on your software and make it easier to incorporate into an existing software stack. Let's say you specified "numpy==1.1.3" in your and your friend Jack who has numpy 1.1.4 installed tries to install your package. They will have to downgrade numpy to meet the package dependencies or create a new Python environment just to use your package. However, if you specify "numpy>=1.1.3" Jack will be able to install your package without problems.

When to pin dependencies

  • If you are not developing a reusable package, but distributing a set of scripts to perform a particular analysis (for example to accompany a manuscript). This will increase the reproducibility of your work. Additionally, since you are not building a package, the dependencies will be only specified in requirements.txt or a Dockerfile allowing people to ignore them if they wish so. It's worth noting that you do not need to create an installable package (with in such scenario (see for example this repository).
  • In Dockerfiles. This way each time someone builds the image using this Dockerfile they will get the same result.
  • If you are developing a reusable package, but only for specifying testing environments for continuous integration. If you don't pin dependencies a release of a broken (or backward incompatible) library could break your tests. This can happen at a random moment causing Pull Requests to fail randomly and leaving contributors perplexed what is wrong with their code.

When not to pin dependencies

  • Inside, when developing a reusable package (library, framework, tool etc.). You want your package to be easy to integrate with other people software stack and thus you should only specify minimally required dependency versions and only if you know that your package will not work with older versions.

At the end of the day, this is a good example of a difference between reusability and reproducibility. Reusable software is much more valuable - it can be integrated into many different software stacks and become a building block of other tools. It is also hard to make and maintain - for once you need to validate that it runs with all the versions of ever updated dependencies. Mere reproducibility is much easier and still has its place in a context of one-off analyses to create results for a scientific paper.


  1. It’s actually a great and helpful piece of info. I’m happy that you just shared this helpful info with us. Please keep us informed like this. Thanks for sharing! Best osi model service provider.

  2. This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    Python Course in Bangalore

  3. Hello,

    "Long path tool" is helpful software program for windows.

    Users get the “Destination Path Too Long” error while trying to

    copy, move or remove certain files or folders on Windows operating

    systems. Most of the time, this error happens because Microsoft has

    a 256/260 folder and name restriction in place.


  4. Great post, your all points fully clarify, packaging automation systems These steps are very helpful for us. Thank you for providing such a valuable information.

  5. Thanks for the Valuable information and it is really helpful information for me. Once again Thank you so much for sharing with us.
    Uncontested Divorce in VA
    VA Uncontested Divorce

  6. Thanks for the Valuable information and it is really helpful information.
    The digital marketing agency. #zoopersolutions

  7. Thank you for sharing this enriching blog. 3 bhk flats gwalior

  8. "Help Cargo Packers and Movers Jaipur made my recent move a breeze! From start to finish, their team was professional, efficient, and courteous. They handled all my belongings with care and ensured everything arrived at my new home safely and on time. I couldn't be happier with their service and would highly recommend Help Cargo Packers and Movers Jaipur to anyone looking for a reliable moving company in Jaipur."

  9. Your product review was thorough and unbiased. It helped me make an informed decision on my recent purchase. Thank you

    Best Digital marketing agency in Atlanta
    Digital Marketing company in Atlanta

  10. Wow, this post is fantastic! I loved how you explained in such a clear and engaging way. Your writing style is both informative and enjoyable to read. Thank you for sharing your insights and knowledge! Looking forward to reading more of your work.
    best ghost writing lane


Post a Comment