Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.
https://pip.pypa.io/en/latest/reference/requirements-file-format/
Looking at the format it supports bare, pinned, or version ranges.
I imagine ranges are preferred for libraries as you’d hit version conflicts if the same dependency showed up twice with different pinned versions in the dependency tree.
https://pip.pypa.io/en/stable/topics/dependency-resolution/#backtracking
The post suggests that during backtracking the maximum version considered for any dependency must be a certain age to reduce the attack surface of malicious releases assuming the vulnerability will be caught within the desired window.