Clarifying: by “standardized lock files”, Brett means he is working on a proposal to standardize a way of taking a set of direct/top-level Python dependencies (such as “Django >= 4.2”) and serializing out to a file the full tree of packages needed to satisfy that, pinned to exact versions, with package hashes for safe/reproducible installation.
Currently you can do this manually yourself if you know the right pip commands, or you can use the pip-tools’ project’s pip-compile script (mentioned in the post), or use a fully-third-party project/workspace management tool such as poetry or pipenv, but there is no single, standardized approach nor a single, standardized high-level tool for it.
Clarifying: by “standardized lock files”, Brett means he is working on a proposal to standardize a way of taking a set of direct/top-level Python dependencies (such as “Django >= 4.2”) and serializing out to a file the full tree of packages needed to satisfy that, pinned to exact versions, with package hashes for safe/reproducible installation.
Currently you can do this manually yourself if you know the right
pipcommands, or you can use the pip-tools’ project’spip-compilescript (mentioned in the post), or use a fully-third-party project/workspace management tool such aspoetryorpipenv, but there is no single, standardized approach nor a single, standardized high-level tool for it.