I have a bit unrelated question: is there a way to calculate a package set with minimal version numbers that fulfills pip requirements. I guess an audit would somehow need to do this to make sure no unsecure packages are deployed as part of the transitive dependencies. I would just like to use this to make sure that the minimal version numbers actually work as part of a CI run and nobody accidentally used too new features.
You can use a tool like `pip-compile`[1] to freeze a requirements-style input down to precise version numbers, but I'm not sure if you can tell it to select only the "minimum viable" version for each dependency. It might be easier to assume (perhaps incorrectly) that all dependencies are semver, freeze them, and then re-write them down to their minimal versions and re-install.