With the adoption of PEP 751, the Python development community has introduced the pylock.toml format, a uniform and secure solution for managing dependencies. This change addresses a long-standing issue: there was no official standard to ensure that package versions and dependencies were handled consistently across different environments.
Pylock.toml is a TOML-based lock file that is automatically generated yet remains human-readable. It accurately records package versions, file hash values, and installation sources. This unified solution improves security and ensures that deployments can be reproduced reliably.
One of the main goals of the new format is to make dependency management more secure. Hash checks will be mandatory for all packages, offering stronger protection against supply chain attacks. In addition, recording file sizes, upload timestamps, and source locations will simplify auditing and help trace potential security incidents.
Previously, the Python community used various tools like pip freeze, pip-tools, Poetry, and PDM—each with its own format. This led to fragmented practices in package management. The introduction of pylock.toml resolves this issue by providing a common standard that every tool can support.
The standard also introduces the concepts of “lockers” and “installers.” Lockers are tools that create lock files, while installers perform installations based on those files. This separation even allows cloud service providers to implement their own installers without needing a Python interpreter.
A significant advantage of the pylock.toml format is that it reduces the need to resolve dependencies at deployment time. This results in faster and more predictable deployments, which is especially important in continuous integration and delivery (CI/CD) processes.
The format supports both single-use and reusable lock files. Single-use files offer targeted solutions similar to requirements.txt, while reusable files allow you to manage extras and dependency groups within a single file.
Consistency with Other Ecosystems
With this change, Python joins other programming languages that have long used a standardized lock file format. For example, JavaScript uses package-lock.json, Rust uses Cargo.lock, and PHP uses composer.lock. This standardization not only improves the stability of the Python ecosystem but also makes it easier for different development tools to work together.
Impact of the New Standard
The introduction of pylock.toml will provide better auditing capabilities for companies and security teams while reducing the risk of attacks that exploit dependency issues. Moreover, increased interoperability allows developers to manage dependencies in a more flexible and secure way without relying on a single tool or service provider.
It is expected that major Python package management tools such as pip, Poetry, and PDM will gradually adopt the new standard—either as the primary lock file format or as an export option. This progress will lead to a more robust, predictable, and secure Python package management environment that remains sustainable and easy to maintain over the long term.
