Add initial support for -r pylock.toml (experimental)

[sbidoul]

• this requires a new packaging release to have Pylock.select()
• to install vcs entries from a lock file which also has other entries with hashes, we'll need Validate VCS urls in hash-checking mode using their commit hashes #11968
• to install directory entries from a lock file which also has other entries with hashes, we'll need editable cannot be installed when requiring hashes #4995 (comment)
• paths relative to lockfile location
• tests
• docs
• and address the most important TODO's

But this works.

Closes #13334

[sbidoul]

@pypa/pip-committers is everyone on board with -r pylock.toml as UX ?

[pfmoore]

Makes sense to me. Will the decision as to whether it's a requirements file or a lock file be based on the filename, or the content? Either is a plausible choice. My preference would be to base it on the filename, as per the lockfile spec. This is technically backward incompatible, but I doubt anyone is naming their requirements files pylock.toml...

Edit: I see the current implementation works off the filename. That fits with my preference.

[stonebig]

Initial try... I can have screwed-up...:

• using a WinPython-3.14.3 (dot version)
• replacing pip package per your branch
• then pip3 download --dest .\budot\WPy64-31431b0\notebook\test01 -r .\build_history\publish_202602\requir.64-3_14_3_1slimb0.txt

It gives me two strange issues:

• it downloads cython-3.2.4-cp314-cp314-win_amd64.whl from https://pypi.org/project , but I should already have it but it can be the fact I mistaken testing requirement file instead of pylock file
• it crashes at this maybe particular case:

  Using cached zstandard-0.25.0-cp314-cp314-win_amd64.whl (516 kB)
Collecting pip (from datasette==0.65.2->-r .\build_history\publish_202602\requir.64-3_14_3_1slimb0.txt (line 147))
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    pip from https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl (from datasette==0.65.2->-r .\build_history\publish_202602\requir.64-3_14_3_1slimb0.txt (line 147))

then, realizing it's not the .toml, redoing with pylock file:

• pip3 download --dest .\bd314\budot\WPy64-31431b0\notebook\test01 -r .\build_history\publish_202602\pylock.64-3_14_3_1slimb0.toml

output (same issue): (it's text file output, branded as .csv )

• from requirement file:
  pip_requfile_test_output.csv
• from pylock file:
  pip_lockfile_test_output.csv

[sbidoul]

@stonebig maybe try with --no-deps. If I read the output correctly, datasette depends on pip, which is not in the lock file.

[stonebig]

@stonebig maybe try with --no-deps. If I read the output correctly, datasette depends on pip, which is not in the lock file.

Yes, I realised I should do that after... maybe the error message could suggest that obvious error ?

[sbidoul]

maybe the error message could suggest that obvious error

Maybe? I don't think I'll address that in this PR, which "simply" reads requirements from a pylock file but otherwise leaves all other pip behaviors intact.

[stonebig]

Strange test:

• removing cython-3.2.4-cp314-cp314-win_amd64.whl from my personnal directory .\packages.srcreq, only leaving cython-3.2.4-py3-none-any.whl
• using pip3 download --dest .\test05 -r .\build_history\publish_202602\pylock.64-3_14_3_1slimb0.toml --no-deps --pre --no-index --trusted-host=None --find-links=.\packages.srcreq --no-cache-dir

==> this downloads wheels from pypi .... and I get again cython-3.2.4-cp314-cp314-win_amd64.whl at arrival

can't I make a fully isolated source directory of wheels with -no-deps --pre --no-index --trusted-host=None --find-links=.\packages.srcreq --no-cache-dir ?

Besides that, result matches the wheel requested... only the source of wheels seems not-constrainable to a directory

[pfmoore]

If the lock file includes PyPI URLs as the location of the wheels, then of course it will download files from PyPI. If you want to only use local files, you'll need to modify the lockfile to reflect that.

The lockfile you linked to only uses URLs, so that's what pip will use.

[notatallshaw]

is everyone on board with -r pylock.toml as UX ?

Will this work where all -r places currently work? Such as download and wheel?

Will this work with all the options users expect to work with requirements files? Constraints? Dry run?

[sbidoul]

Will this work where all -r places currently work? Such as download and wheel?

Yes absolutely. pip {wheel,download} -r pylock.toml are useful features, I think.

Will this work with all the options users expect to work with requirements files? Constraints? Dry run?

Yes everything works because the lock file is simply another source of requirements. Constraints of course must be compatible with the requirements in the lock file which already provides strong constraints, but that works.

So far the only limitations I see are support for selecting extras and dependency groups from the lock file. So my current thinking is to do

• A MVP with pip {install,wheel,download,lock} -r pylock.toml without support for extras and dependency groups (this PR)
• After that, we can consider new pip sync command that accepts a single lock file and updates the current environment to match the lockfile exactly. That is not entirely obvious since we don't have a way to record the provenance origin of installed distributions (except when the requirement was provided as a direct URLs), so pip sync would roughly be pip install -r pylock.toml --ignore-installed --no-deps + pip uninstall {everything not listed in the lock file}. That pip sync command would accept --extra, --group options likely inspired from uv.
• I would also investigate if pylock files could serve as constraint sources. I think it would mesh well with the current pip UX, and there seems to be some demand for it on the uv tracker Accept pylock.toml as a constraint file astral-sh/uv#13031.

Two more notes:

• currently, the still experimental pip lock command cannot (even in principle) produce extras and dependency groups in the lock file with the current options set
• uv pip install -r does not accept other requirements when a pylock.toml is provided, so it could in principle handle --extra and --group options. But I feel that limitation a bit awkward for -r and we don't have such --extra and --group options in pip anyway. That might be a track to explore, though, not sure.

[notatallshaw]

I'm +1 on merging this with the experimental notice, I suspect we'll never find the rough edges without it being released.

[sbidoul]

I still need to improve the help text and maybe replace a few asserts with proper exceptions but otherwise I think this is good enough for a MVP to gather feedback.

[sbidoul]

I broke out #13943 and #13944 for lock files combining directory and VCS entries with other entries with hashes.

Other than that, and extras/groups support for which a UI has to be invented, this is complete.

[sbidoul]

@ichard26 thanks for the valuable review, however late. I addressed your comments.

I'm a bit uneasy with letting users mix and match -r pylock.toml with any other requirement or constraint option. Given we already have a confusing set of requirement options, this feels prone to making this problem worse, but I guess we'll find out after the release. If it's experimental, I'd say that we reserve the right to be stricter if it turns out to be a massive foot-gun (though, I doubt it will be... hopefully users will exercise reasonable restraint).

I personally think it makes sense and fits nicely in the UX if you see it simply as a source of pre-constrained requirements. Of course there are plenty of ways to provide options combinations that don't make sense, but not much more than what we already have. In terms of teaching, the canonical way to use it is pip install -r pylock.toml --no-deps in an empty venv, with the corresponding pip wheel and pip download variants.

P.S. I don't understand how dependency groups and lockfiles are supported to work together. Are dependency groups still read from a pyproject.toml file or is everything purely sourced from the lock file? If someone could ELI5 for me, that would be great 🙂

Were there UX recommendations about that during the PEP 751 discussions, I don't remember? For pip, the question is fully open.

As a side note I have a vague impression that --group reading from $PWD/pyproject.toml by default may cause UI-related difficulties down the line, not sure.

[ichard26]

Can you try that again and/or provide more information? pip wheel does support editable requirements (it builds them as regular wheels). pip download ignores them, I think. That should not be different if the requirement comes from a lock file.

Ah, it seems fine trying it again. I don't know what the hang was about TBH.

I got confused that pip still checks for the build_editable hook, but it's just a quality of implementation defect. It doesn't cause any issues since the normal wheel hooks are still used.

$ pip wheel -r pylock.toml --no-deps
WARNING: Using pylock.toml as a requirements source is an experimental feature. It may be removed/changed in a future release without prior warning.
Obtaining file:///home/ichard26/dev/flower/ (from pylock.toml)
  Installing build dependencies ... done
  Checking if build backend supports build_editable ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: flower
  Building wheel for flower (pyproject.toml) ... done
  Created wheel for flower: filename=flower-1.3.0-py3-none-any.whl size=3711 sha256=f9b46b97a8d56029ece11eb32dd17034922a0f264ed98efdb3a8c00483feebd6
  Stored in directory: /tmp/pip-ephem-wheel-cache-e57i5a70/wheels/e5/45/c9/81c5b3d6a1c1e50fe115385f767138ddec6d709c39419e3961
Successfully built flower

Were there UX recommendations about that during the PEP 751 discussions, I don't remember? For pip, the question is fully open.

I didn't follow the PEP 751 discussions that well so I have no idea. I'm just wondering why the lockfiles support a dependency-groups field in the first place.

[pfmoore]

I didn't follow the PEP 751 discussions that well so I have no idea.

I can confidently say that the PEP 751 discussions were extensive enough that even if you followed them (like I did!) remembering what was covered is pretty difficult 🙂

From what I recall, dependency groups and extras were included as part of covering uv and PDM style lockfiles. So for example, uv sync has --group X and --extra X options to allow you to select additional parts of the lockfile. If we ever get a pip sync style command, I'd expect that we would follow that model. But for the current model, where a lockfile is just another source of requirements, I have no intuition about how a UI for extras or dependency groups would look. I'm pretty sure the PEP 751 discussions never even considered that model (except maybe in the sense of saying that it might be possible, but that the sync model of making an environment match a lockfile is the core use case).

[webknjaz]

I would also investigate if pylock files could serve as constraint sources. I think it would mesh well with the current pip UX, and there seems to be some demand for it on the uv tracker Accept pylock.toml as a constraint file astral-sh/uv#13031.

@sbidoul does pip already have a tracking issue for this? Ah, found it: #13961. My pip-tools driven workflows usually include a pip install -r deps.in -c deps.txt. So I'd expect things like pip install some-dep -c pylock.transitive-deps.toml to be a replacement.

[sbidoul]

@webknjaz yes, please add your use case in #13961