I don’t particularly see the benefits of using vendor packages instead of fetching them from a private package index, pinning all transitive dependencies and saving the hashes.
I’m familiar with that project, but that’s not where the problem I’m trying to solve lies.
Who exactly do you mean by “consumers” then? I’m building an application and distributing it as a wheel to internal end users. They install the application (deploy it on their servers), and I want to ensure that they install it with exactly the same dependencies (i.e., the same versions of Python packages) that I used during testing. Based on another discussion about lock files, it seems that lock files are designed specifically for this purpose.