What is a lockfile?

A lockfile is a text file enumerating the specific version of every dependency used by a project; it serves as a contract that guarantees reproducible environments across different systems and time periods.

A lockfile might record:

• Exact versions of all direct and transitive dependencies
• Cryptographic hashes to verify package integrity
• Platform-specific requirements and constraints
• Metadata about how dependencies were resolved

This creates a “single source of truth” for project dependencies that can be reliably reproduced.

The Python ecosystem lacked standardized lockfile support until PEP 751 was accepted in March 2025. Before that, each tool developed its own format:

• poetry.lock from Poetry
• Pipfile.lock from Pipenv
• pdm.lock from PDM
• uv.lock from uv
• Requirements files with hashes from pip-tools
• pylock.toml from pip 25.1+ via the experimental pip lock command (single-platform only)

Several of these tools also support writing or reading PEP 751’s pylock.toml format alongside their native lockfile, so a project’s primary lockfile and its shareable export can now be different files.

Learn More

• How to use a uv lockfile for reproducible Python environments
• PEP 751 – A file format to record Python dependencies for installation reproducibility

Was this helpful?

Thanks for the signal!

What could be improved?

No thanks

Send feedback