What is a lockfile?

A lockfile is a text file enumerating the specific version of every dependency used by a project; it serves as a contract that guarantees reproducible environments across different systems and time periods.

A lockfile might record:

• Exact versions of all direct and transitive dependencies
• Cryptographic hashes to verify package integrity
• Platform-specific requirements and constraints
• Metadata about how dependencies were resolved

This creates a “single source of truth” for project dependencies that can be reliably reproduced.

The Python ecosystem has lacked standardized lockfile support. Different tools developed their own lockfile formats:

• poetry.lock from Poetry
• Pipfile.lock from Pipenv
• pdm.lock from PDM
• uv.lock from uv
• Requirements files with hashes from pip-tools

{{ < callout type=“info” >}} In March 2025, PEP 751 was accepted, which defines a standard format for lockfiles in the Python ecosystem. We can expect to see more tools adopting this standard in the future. {{ < /callout >}}

Learn More:

• PEP 751 – A file format to record Python dependencies for installation reproducibility