Skip to content

Support pinned dependencies from pylock.toml (PEP 751) #20

New issue
New issue
Open
Open
Support pinned dependencies from pylock.toml (PEP 751)#20
Assignees
edgarrmondragon
Labels
enhancementNew feature or request
@edgarrmondragon

Description

@edgarrmondragon
edgarrmondragon
opened on Jun 11, 2025

Summary

Support reading pinned dependencies from pylock.toml files (PEP 751), the standardized, tool-agnostic lock file format for Python.

Currently, the plugin only supports uv.lock. Adding pylock.toml support would make it work with any resolver that produces this standard format.

pylock.toml format overview

The lock file uses [[packages]] entries with name, version, and optional marker fields:

lock-version = "1.0"
created-by = "mousebender"
requires-python = "== 3.12"

[[packages]]
name = "attrs"
version = "25.1.0"
requires-python = ">= 3.8"

  [[packages.wheels]]
  name = "attrs-25.1.0-py3-none-any.whl"
  url = "https://files.pythonhosted.org/..."
  hashes = {sha256 = "..."}

[[packages]]
name = "cattrs"
version = "24.1.2"
requires-python = ">= 3.8"

  [[packages.dependencies]]
  name = "attrs"

Key differences from uv.lock:

Aspect uv.lock pylock.toml
Package table key [[package]] (singular) [[packages]] (plural)
Environment markers resolution-markers on package + marker on deps marker directly on each [[packages]] entry
Dependencies dependencies array used for transitive resolution [[packages.dependencies]] (informational only)
Extras optional-dependencies dict on packages Not represented per-package; top-level extras field
File naming uv.lock pylock.toml or pylock.<name>.toml

Implementation considerations

Simpler marker handling

In pylock.toml, the marker field is directly on each package entry, so there's no need for the OR-joining and AND-merging of resolution-markers that the uv.lock parser does.

Transitive dependency filtering

pylock.toml lists all packages in the resolved set. The [[packages.dependencies]] field is informational only (installers must not use it for resolution). The plugin currently only pins dependencies transitively reachable from the project's declared dependencies, so similar filtering would be needed. Options:

  1. Use [[packages.dependencies]] to walk the dependency graph (same approach as uv.lock)
  2. Pin all packages in the lock file (simpler, but may include unrelated packages if the lock file covers multiple extras/groups)

File discovery and configuration

  • Look for pylock.toml in the project root
  • Support named variants (pylock.<name>.toml) via a config option
  • Auto-detect format or let users specify via config (e.g., lock-file = "pylock.toml")

References

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions