@MrTango I hope you mean pyproject.toml, not yml, otherwise I missed an update to the Python packaging infrastructure. 
cat constraints.txt | xargs poetry add
I assume this installs all packages mentioned in constraints.txt. You could do that if you want, and can be useful for checking, but you will get lots of packages that you do not need. For example, you get zc.buildout and zest.releaser, which are not needed to run Plone in pip.
I am definitely interested in new ways to handle our dependency pinning. My dream:
zc.buildoutreads theconstraints.txtfile instead of having its own versions. Perhaps via a buildout extension.- Then we can treat
constraints.txtas the canonical location of our version pins. - Have a clear separation between packages that we want a specific version of (mostly Plone and Zope packages) and their dependencies, where using the latest version is probably fine.
- Regularly let
piporpoetryorpip-toolsor another already existing tool update the version pins for the dependencies. For example, I don't care which version ofrequestsis used in Plone, and it is probably fine to update this to five major versions higher even in a Plone bugfix release.
I do occasionally call bin/checkversions or bin/versioncheck to see if there are updates, but this is tedious and error prone. If a widely used Python packaging tool can help here, that would be welcome.
I have not yet found the proper recipe/procedure for this.