Thanks Brett! Really appreciate all the work that’s gone into the PEP. I know lockfiles have been a journey
I’ll try to keep it brief, but some background on how this all works in uv today. Historically, we’ve used the requirements.txt format as both resolver input and resolver output in the uv pip interface. (E.g., the convention is to use requirements.in as the name of an input file, and requirements.txt as the output, but the fundamental format is of course the same.) So requirements.txt is used as a sort of “lockfile” by way of being the uv pip compile output.
Separately, we have a series of APIs that are available in preview but haven’t been stabilized, which use pyproject.toml as input and a new uv.lock format as output (defined here in code; here’s an example snapshot). The uv.lock file is designed to handle what was referred to as Poetry- or PDM-style “universal” resolution, such that we produce a single lock for all environments (like “Package Locking” in this PEP). Like this proposal, it doesn’t require doing a “resolution” at install time, though there are some differences in the format.
My previous opinion was that we’d support the File Locking behavior that was put forth in the last proposal, but that we couldn’t yet commit to support the Package Locking behavior (if the proposal were amended) since we weren’t yet sure on our own requirements.
After reading the current proposal, my feeling is that, if standardized as-is, our intent would be to support PEP 751-style lockfiles, but as an alternative to requirements.txt rather than uv.lock (so, uv pip compile could produce them, and our installer APIs could consume them). The Package Locking proposal is close to what we need, but there are some important differences. For example:
- We include all extras and dependency groups (i.e., development dependencies) in the lockfile, so that users can toggle the enabled extras at install time. (Poetry does this too, IIRC?)
- We include uv-specific metadata in the lockfile (e.g., whether pre-releases were enabled; whether the user locked with minimum or maximum version resolution), so that we can invalidate it if the user changes those settings.
- We have a distinction between packages that are locked as editable vs. those that are not.
(Of course, I’m open to discussing these requirements and whether they make sense to tackle within the scope of the PEP; more just reporting the world as it exists today.)
My honest opinion (which is biased) is that the lockfile proposed here is a clear improvement over the way we use requirements.txt today, but not a clear improvement over the formats used by Poetry, PDM, uv, etc. for their lockfile use-cases, and so I’m worried that there won’t be enough value-add to convince those tools to move over, given that they already serve as both resolvers and installers (and so benefit less from standardization here when weighed against the ability to iterate independently on their own proprietary formats). And, in that light, I kind of prefer a proposal that just does File Locking and eschews the complexity of Package Locking. But again, if standardized, my intent would be for us to support it as an input and output format in the uv pip APIs and elsewhere as appropriate.