It's a good practice to allow security/bugfixes releases. Freezing versions of lib shouldn't be done in the source code. It's a deployment issue.
@@ -1,4 +1,4 @@
-Django==1.9.3
-PyYAML==3.11
+Django>=1.9.3,<1.10
+PyYAML>=3.11,<4.0
pytz
sqlparse