I've been experimenting with a new requirements.txt and requirements.txt.lock route.

Pip allows your requirements file to omit versions. That means: you can manually add your root requirements into your requirements.txt. Then you can

    pip install -r requirements.txt

Then you can do

    pip freeze > rewuirements.txt.lock

commit that, and now everyone can use the prepared lock file. If you want to refresh your package versions, try

pip install -U -r requirements.txt

and it will update your dependencies. If anything breaks, you can uninstall it. If it all works out, you can lock again.

This way I can stay within pip tools and speed up package installs. One negative is having to manually fix dependency conflicts. But that is a price I'd be willing to pay for ease if development and deployment.

Edit: Also note that the article makes an excellent point concerning supply chain attacks which pipenv would have successfully mitigated in this particular case.

Check out pip-tools [1] which does exactly that, albeit in a slightly more polished way.

[1]: https://github.com/jazzband/pip-tools