Is this autogenerated? If so, I'd put in a comment explaining how to update it.

vulnix is a tool right that one doesn't use to develop with a certain Python env (like e.g. pip or pytest), right? In that case it shouldn't be called from python-packages.nix but elsewhere. In that case the expression should have as argument python or pythonPackages instead of the individual Python packages/functions.

Okay, where to put it then?

call it from all-packages.nix.

what is the reason for using this specific version instead of the one we have in python-packages.nix?

Same goes for the other packages as well.

We have the habit to pin down versions of dependent packages.

setup.py:

install_requires=[
        'click==6.6',
        'colorama==0.3.7',
        'lxml==3.7.0',
        'pyyaml==3.11',
        'requests==2.10.0',
        'ZODB==5.1.1',
    ],

If there are recommendations to override those in setup.py, I'd like to know them. I am really uncertain about the pattern of dependence on external packages vs. nixpkgs' ones.

In my opinion its bad practice to pin versions exactly. Assuming dependencies use semantic versioning there is no need to pin exact versions. Unfortunately its a bit tedious to pin only to major or minor releases.

In any case, when we encounter packages that pin their dependencies even though there is no need for it, we patch those entries.
E.g.

postPatch = ''
  substituteInPlace setup.py --replace "sympy==0.7.6" "sympy"
'';

At the same time, managing versions in python-packages.nix is tedious, but it seems like we should address that more broadly than an individual package. If you absolutely must use a specific version, perhaps do something like pythonPackages.overrideDerivation (_: src = fetchPypi ...)? That way you can at least share any nix-specific patches people have applied to the other version, and we share more code.