New Python lock file format will specify dependencies

Python’s builders have accepted a proposal to create a universal lock file format for Python projects that would specify dependencies, enabling installation reproducibility in a Python environment.

Python Enhancement Proposal (PEP) 751, accepted March 31, aims to create a new file format for specifying dependencies that is machine-generated and human-readable. Installers consuming the file should be able to calculate what to install without needing dependency resolution at install-time, according to the proposal.

Currently no standard exists to create an immutable record, such as a lock file, that specifies what direct and indirect dependencies should be installed into a Python virtual environment, the proposal states. There have been at least five well-known solutions to the problem in the community, including PDM, pip freeze, pip-tools, Poetry, and uv, but these tools vary in what locking scenarios are supported. ”By not having compatibility and interoperability it fractures tooling around lock files where both users and tools have to choose what lock file format to use upfront, making it costly to use/switch to other formats,” the proposal says.

Human readability of the file format enables contents of the file to be audited, to make sure no undesired dependencies are included in the lock file. The file format also is designed to not require a resolver at install time. This simplifies reasoning about what would be installed when consuming a lock file. It should also lead to faster installs, which are much more frequent than creating a lock file.

The format has not yet been associated with a specific release of Python, but is guidance for tooling going forward. Actual adoption remains open-ended. Acceptance of the format is full and final, not provisional. The universal format has been the subject of an estimated four years of discussion and design.

InfoWorld Senior Writer Serdar Yegulalp contributed to this report.