Python has officially introduced a standardized lock file format with the acceptance of PEP 751, marking a major
advancement in the Python packaging ecosystem.
Named pylock.toml, this new format tackles persistent dependency management challenges by providing a consistent way to log exact package versions, file hashes, and installation sources. This ensures reproducibility and enhances security. According to the PEP documentation, “Currently, no standard exists to create an immutable record, such as a lock file, which specifies what direct and indirect dependencies should be installed into a virtual environment.”
Addressing Fragmentation
The absence of a standard lock file format has led to fragmentation, with multiple solutions in use, including PDM, pip freeze, pip-tools, Poetry, and uv. The TOML-based format aims to be both machine-readable and human-friendly, offering enhanced security over traditional requirements files.
Security-First Design
Unlike requirements.txt files, where file hash validation is optional, pylock.toml mandates hash verification for all packages. This significantly strengthens security against supply chain attacks. Additionally, the format records file sizes, upload timestamps, and package sources, aiding in auditing and security monitoring.
The PEP emphasizes that “the file format should promote good security defaults.” Since the format isn’t intended for manual editing, requiring tools to provide security details is seen as a reasonable and necessary safeguard.
Introducing Lockers and Installers
PEP 751 defines two key roles:
- Lockers – Tools that generate lock files.
- Installers – Tools that install packages based on lock files.
This separation allows cloud hosting providers to create custom installers without requiring a Python interpreter.
The format supports both single-use and multi-use lock files:
- Single-use files work similarly to requirements.txt, designed for specific use cases.
- Multi-use files accommodate multiple environments by supporting extras and dependency groups within a single file.
Each package entry in pylock.toml includes:
- Standardized package name
- Exact version number
- Environment markers for conditional installation
- Python version compatibility requirements
- Hash values for security verification
- File sizes for validation
- Upload timestamps for auditing
- Source locations (URLs or paths)
Unifying the Python Packaging Ecosystem
Brett Cannon, the author of PEP 751, highlights that this standard replaces PEP 665 and aims to unify Python’s dependency management approach. By aligning with ecosystems like JavaScript (package-lock.json), Rust (Cargo.lock), and PHP (composer.lock), Python now offers a standardized format that simplifies package management for developers and organizations.
For enterprises and security teams, this means better auditing, more reliable builds, and stronger protection against dependency confusion attacks. Additionally, eliminating dependency resolution at install time results in faster, more predictable installations, which is crucial for CI/CD pipelines and production environments.
As the PEP states, "Centralizing complexity in lockers simplifies installer implementation," ultimately leading to more robust tooling across the Python ecosystem.
With major Python packaging tools expected to adopt pylock.toml as their default lock file format, this move enhances interoperability, reduces vendor lock-in, and strengthens security across the Python ecosystem.
