Add option to force use of `uv.lock` file when adding dependency or installing a tool

[my1e5]

From 'The Cargo Book' - https://doc.rust-lang.org/cargo/commands/cargo-install.html#dealing-with-the-lockfile

Dealing with the Lockfile

By default, the Cargo.lock file that is included with the package will be ignored. This means that Cargo will recompute which versions of dependencies to use, possibly using newer versions that have been released since the package was published. The --locked flag can be used to force Cargo to use the packaged Cargo.lock file if it is available. This may be useful for ensuring reproducible builds, to use the exact same set of dependencies that were available when the package was published.

It would be nice if uv had a similar option which allowed you to force the use of the uv.lock file rather than recomputing the dependencies from the pyproject.toml file. This would enable you to get exact reproducible builds.

Consider this simple use-case

$ uv init --name mylib
$ uv add numpy

The pyproject.toml looks like

dependencies = [
    "numpy>=2.0.1",
]

and the uv.lock file is

[[distribution]]
name = "numpy"
version = "2.0.1"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/1c/8a/0db635b225d2.......

You then write some code and once ready you commit and push the project to your Git server (including the uv.lock file).

Some time later, you want to re-use this project in another codebase. So you use something like

$ uv add git+ssh://git@mygitserver/user/mylib

But because a new version of numpy has been released it doesn't install version 2.0.1 and instead installs a newer version (potentially causing some issues). Having something like a --use-lock-file flag would solve this issue by directing uv to follow the lock file exactly.

The same thing would be useful for uv tool install. For example if I've developed an executable app and want the exact same dependencies installed as specified in the lock file.

$ uv tool install git+ssh://git@mygitserver/user/myapp

I understand that some might say, well you should have made your dependencies explicit:

dependencies = [
    "numpy==2.0.1",
]

But as you can see, the default behaviour of uv add is to use version ranges (>=). And there may be situations where you are working with someone else's uv-managed project, in which case going by the uv.lock file might be essential to ensure a reproducible build.

[charliermarsh]

Is this not --frozen and --locked? I believe we already support those.

[zanieb]

But because a new version of numpy has been released it doesn't install version 2.0.1 and instead installs a newer version

We should prefer the existing versions in the lockfile when adding dependencies, if we aren't it sounds like either the package you're adding depends on a newer version of numpy or we have an unexpected bug.

[my1e5]

Is this not --frozen and --locked? I believe we already support those.

My understanding was these flags had a different meaning

      --locked                                 Assert that the `uv.lock` will remain unchanged
      --frozen                                 Add the requirements without updating the `uv.lock` file

[charliermarsh]

Oh, you're talking about using the uv.lock from Package A when you add Package A as a dependency of Package B?

[zanieb]

Ohhh that makes more sense. Hm.

[my1e5]

Ah sorry, I can see how the confusion came about. Yes, I mean this exactly

using the uv.lock from Package A when you add Package A as a dependency of Package B?

I'm not aware of other Python tooling and project managers offering this kind of feature. For example pipx will ignore the lock files. There is some related discussion here - pdm-project/pdm#2450

[zanieb]

This seems particularly reasonable when performing uv tool install. It seems a bit more complicated with uv add.

[charliermarsh]

Yeah we should support something like this eventually but I don't think we should try to solve it for the upcoming release -- requires some design.