Daemon ignores requirements.txt and allows dependency drift for Python plugins

[WH-2099]

Self Checks

To make sure we get to you in time, please check the following :)

• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues Dify issues & Dify Official Plugins, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• Please do not modify this template :) and fill in all the required fields.

Dify version

See about section in Dify console

Plugin version

See this in the marketplace, it's the version of the plugin you are using

Cloud or Self Hosted

How / Where was Dify installed from?

• Cloud
• Self Hosted (Docker)
• Self Hosted (Source)

Steps to reproduce

When a Python plugin contains both pyproject.toml and requirements.txt, the daemon currently prioritizes pyproject.toml in setup_python_environment.go and runs uv sync. In practice, this means requirements.txt is ignored during deployment.

This becomes a problem when uv.lock is not committed. Some plugins, such as models/gemini, had uv.lock excluded by .gitignore, so the deployment environment cannot use a locked dependency graph.

The issue is made worse because the daemon runs uv sync without --frozen. If uv.lock is missing, uv resolves dependencies again from the version ranges in pyproject.toml, which can pull different package versions on each deployment.

Current behavior:

• pyproject.toml completely overrides requirements.txt
• requirements.txt may exist but is effectively unused during deploy
• missing uv.lock leads to dynamic dependency resolution
• deployments are not reproducible and may break without any plugin code change

Expected behavior:

• if pyproject.toml is used, uv.lock should be required and committed
• deployment should run uv sync --frozen
• deployment should fail fast when pyproject.toml exists but uv.lock is missing

models/gemini is a concrete example where this created dependency drift risk.

✔️ Error log

Please include the error log here, wrap it in a code block.

If applicable, paste the error log here.

[dosubot]

Hi, @WH-2099. I'm Dosu, and I'm helping the dify-official-plugins team manage their backlog and am marking this issue as stale.

Issue Summary:

• You reported that the daemon prioritizes pyproject.toml over requirements.txt for Python plugins, ignoring requirements.txt during deployment.
• This causes dependency drift when uv.lock is not committed, as uv sync runs without the --frozen flag.
• Your suggestion is to require committing uv.lock and run uv sync --frozen to ensure consistent, reproducible deployments.
• There has been no further activity or discussion on this issue since your report.

Next Steps:

• Please let us know if this issue is still relevant with the latest version of dify-official-plugins by commenting here.
• If we do not hear back within 5 days, this issue will be automatically closed.

Thank you for your understanding and contribution!