Does it pin versions of 2nd degree dependencies too? Like pip freeze would do?
Also, when you remove a package, does it know to clear packages that were its deps and are not needed anymore?
For the second, pip-compile computes the new requirements.txt (which is effectively the lockfile) from scratch, and pip-sync (not shown in that Makefile fragment) removes packages that are no longer listed there.
