What's new in pip 26.1 - lockfiles and dependency cooldowns!
Summary
Pip 26.1 introduces native support for lockfiles and dependency cooldowns, providing new mechanisms for environment reproducibility and package stability. This release also officially drops support for Python 3.9.
Key Points
- New
pip lockcommand generates apylock.tomlfile containing the complete dependency tree. - Introduction of the
--uploaded-prior-toflag to implement dependency cooldowns. - Dropped support for Python 3.9.
- The
--uploaded-prior-tooption utilizes a simplified ISO duration format:P<number>D(e.g.,P4Dfor 4 days).
Technical Details
The pip lock command allows developers to create reproducible environments by capturing all top-level packages and their sub-dependencies in a pylock.toml file. This file records the specific versions of the entire dependency tree; for example, running pip lock datasette llm can generate a pylock.toml file containing over 500 lines of dependency definitions.
To mitigate the risks associated with newly released or unvetted packages, pip 26.1 introduces dependency cooldowns via the --uploaded-prior-to option. This feature allows users to specify a minimum age for a package release. The syntax follows a simplified ISO duration format where P is followed by the number of days and D. For instance, the command pip install llm --uploaded-prior-to P4D instructs the installer to only select versions of the package that were uploaded at least four days prior to the installation attempt.
Impact / Why It Matters
Lockfiles significantly improve environment consistency across development, testing, and production stages. Dependency cooldowns provide a built-in mechanism for developers to avoid potentially unstable or malicious package versions immediately following their release.