What is PEP 751?

Python Enhancement Proposal 751 (PEP 751) introduces a standardized file format for specifying dependencies to enable reproducible installation in Python environments. This proposal, authored by Brett Cannon and accepted in March 2025, establishes a formal specification for lock files in the Python ecosystem.

Lock files serve a critical purpose in modern software development: they record the exact versions of dependencies needed to reproduce a consistent environment. Until now, the Python ecosystem lacked a standard format for lock files, with tools like PDM, pip freeze, pip-tools, Poetry, and uv each using their own approaches.

Why Lock Files Matter

Lock files solve several key problems in dependency management:

  1. Reproducibility: They ensure the same packages are installed regardless of when or where installation occurs.
  2. Consistency: Everyone working on a project installs the exact same dependencies.
  3. Security: By pinning specific versions and including file hashes, they prevent supply chain attacks.

Tooling has been fragmented without a lock file standard, tooling has been fragmented, creating issues with portability and vendor lock-in. Different tools couldn’t easily consume each other’s lock files, forcing developers to choose a single ecosystem or manage complex conversions.

Key Features of PEP 751

The PEP 751 lock file format (pylock.toml) offers several important features:

  • Human-readable TOML format: Makes auditing and debugging easier
  • No resolver needed at install time: Simplifies and speeds up installation
  • Security by default: Includes file hashes to verify package integrity
  • Compatibility with multiple use cases: Supports both single-use and multi-use lock files
  • Environment markers support: Handles platform-specific dependencies
  • Support for package attestations: Enhances supply chain security

Lock File Structure

The standard defines a TOML-based file with a clear structure:

lock-version = "1.0"
environments = ["sys_platform == 'linux'", "sys_platform == 'win32'"]
requires-python = ">=3.12"
created-by = "tool-name"

[[packages]]
name = "package-name"
version = "1.2.3"
wheels = [
  {name = "package-1.2.3-py3-none-any.whl", hashes = {sha256 = "..."}}
]

This format captures all necessary information to install dependencies consistently across environments while maintaining human readability.

Single-Use vs. Multi-Use Lock Files

PEP 751 supports two approaches to lock files:

  1. Single-use lock files: Similar to requirements.txt, serving a single purpose (like development or production dependencies)
  2. Multi-use lock files: Support multiple use cases through extras and dependency groups within a single file, reducing duplication and coordination challenges

Adoption by Python Packaging Tools

For PEP 751 to make a real difference, it must be implemented by the various Python packaging tools. Tool maintainers of pip, Poetry, PDM, uv, and others will need to update their software to support reading and writing the new pylock.toml format. Some tools may initially only export to this format while maintaining their own internal lock files, while others might fully adopt it as their primary mechanism.

Learn More

Last updated on

Please submit corrections and feedback...