pip-lock

Generate a pylock.toml for the current project

$ pip lock [[-e|--editable]] .

$ pip lock [[-r|--requirement]] [path/to/requirements.txt]

$ pip lock [[-o|--output]] [path/to/lockfile.toml]

$ pip lock [package]

pip-lock [options] ...

-h, --help
    Show the help message and exit.

-o OUTPUT, --output OUTPUT
    Specify the output filename for the lockfile (default: requirements.txt).

--index-url INDEX_URL
    Base URL for the Python Package Index (default: https://pypi.org/simple).

--extra-index-url EXTRA_INDEX_URL
    Extra URLs for the Python Package Index. Can be used multiple times.

--no-index
    Ignore the package index (only look in --find-links locations).

--find-links FIND_LINKS
    If a URL or path to an HTML file, then parse for links to archives. If a path to a directory, then look for archives in this directory. Can be used multiple times.

--force-reinstall
    Force reinstallation of all packages during the internal dry-run process, even if already present.

--verbose
    Show more detailed output during execution.

--version
    Show program's version number and exit.

pip-lock is a Python package management utility designed to create a single, robust requirements.txt file. Unlike standard pip freeze, it resolves and includes all transitive dependencies, along with their corresponding SHA256 hashes. This ensures highly reproducible installations by preventing tampering or unexpected changes in package versions or sources.

It functions by internally using pip install --dry-run --report to determine the full dependency tree and gather package metadata, then generates a lockfile that can be used for secure and deterministic deployments. It accepts package names or existing requirement files as input, making it a powerful tool for maintaining strict control over project dependencies.

pip-lock is not a standard pip command and requires separate installation (e.g., pip install pip-lock). It can be slower for large dependency trees due to the process of fetching and hashing all transitive dependencies. While aiming for high reproducibility, its reliance on pip install --dry-run might occasionally miss nuances in very complex or custom package builds, and it is generally less mature and widely adopted than alternatives like pip-tools.

The primary benefit of pip-lock is to ensure absolutely deterministic builds. By locking down every dependency, including transitive ones, with specific SHA256 hashes, it guarantees that installing from the generated requirements.txt will always result in the exact same set of packages, bit-for-bit, preventing environmental drift and 'works on my machine' issues across different environments or over time.

Including hashes for all packages provides a strong defense against supply chain attacks. If a package on a PyPI mirror or custom index is tampered with or replaced, the hash in the requirements.txt will no longer match, preventing the installation of potentially malicious code and alerting users to the discrepancy during the installation process.

pip-lock emerged from the ongoing challenge in Python dependency management to achieve truly deterministic and secure builds. While tools like pip freeze provide a basic snapshot, and pip-tools compile offers robust dependency resolution, pip-lock specifically addresses the need for a single, comprehensive lockfile that includes all dependency hashes by default. This approach gained traction as a response to increasing concerns about supply chain security and the desire for stronger guarantees of reproducible environments, typically gaining more niche adoption compared to pip-tools.

pip(1), pip-tools(1)