What is a lockfile?

A lockfile is a text file enumerating the specific version of every dependency used by a project; it serves as a contract that guarantees reproducible environments across different systems and time periods.

A lockfile might record:

• Exact versions of all direct and transitive dependencies
• Cryptographic hashes to verify package integrity
• Platform-specific requirements and constraints
• Metadata about how dependencies were resolved

This creates a “single source of truth” for project dependencies that can be reliably reproduced.

The Python ecosystem has lacked standardized lockfile support. Different tools developed their own lockfile formats:

• poetry.lock from Poetry
• Pipfile.lock from Pipenv
• pdm.lock from PDM
• uv.lock from uv
• Requirements files with hashes from pip-tools

An attempt to standardize lockfiles in 2021 via PEP 665 was ultimately rejected due to challenges around source distribution support and community consensus.

Learn More:

• Dependency Resolution
• Project Management
• Package Installation
• PEP 665 - A file format for Python dependency locking
• State of standardized lock files for Python: August 2023