I'm trying to write my own Python dependency known-vulnerability scanner (similar to pyup.io).<p>But I'm not very familiar with how dependency resolution works in the Python world. Do people tend to use requirements.txt or one of the newer tools like pipenv / poetry / pip-tools? Are there any other ways to specify dependencies in Python? What's the best way?