What's new in pip 26.1 - lockfiles and dependency cooldowns!

2026-04-28 · Source: Simon Willison's Weblog · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning · Depth: Intermediate, quick

Summary

Pip 26.1, the latest version of Python's dependency management tool, introduces significant enhancements including lockfile generation and dependency cooldowns. This release discontinues support for Python 3.9, which reached its end-of-life in October. Users can now generate a `pylock.toml` file containing a complete list of installed packages and their dependencies using the `pip lock` command, as demonstrated with "datasette" and "llm" resulting in a 519-line file. Additionally, the new `--uploaded-prior-to PXD` option allows users to specify a minimum age for package versions, preventing installation of very recent releases. This option uses an ISO duration format for days, enabling installation of packages uploaded at least X days prior, such as retrieving LLM version 0.30 when requesting packages older than 4 days.

Key takeaway

For Python developers managing project dependencies, Pip 26.1's new features offer crucial stability. You should integrate `pip lock` into your CI/CD pipelines to ensure consistent dependency resolution across environments. Additionally, consider using the `--uploaded-prior-to PXD` option for critical deployments to mitigate risks associated with newly uploaded, untested package versions, thereby enhancing the robustness of your application's dependency stack.

Key insights

Pip 26.1 introduces lockfiles and dependency cooldowns, enhancing Python package management reliability.

Principles

• Dependency pinning improves build reproducibility.
• Age-based dependency filtering enhances stability.

Method

Generate a `pylock.toml` with `pip lock <packages>`. Filter package versions by age using `pip install <package> --uploaded-prior-to PXD`.

In practice

• Use `pip lock` for reproducible environments.
• Employ `--uploaded-prior-to PXD` to avoid fresh, potentially unstable releases.

Topics

• pip 26.1
• Lockfiles
• Dependency Cooldowns
• Python Package Management
• pylock.toml

Best for: Software Engineer, Machine Learning Engineer, AI Engineer

Related on AIssential

• Pip 26.1 Ships Dependency Cooldowns and Experimental Lockfile Support to Combat Supply Chain Attacks — Pip 26.1 enhances Python supply chain security through dependency cooldowns and experimental "pylock.toml" lockfile support.
• datasette 1.0a28 — Datasette 1.0a28 fixes critical bugs and enhances resource management, with most changes implemented using Claude Code and Claude Opus 4.7.
• My AI Couldn’t See My Files — I Built a Zero-Dependency MCP Server — Building simple tools with standard libraries avoids unnecessary complexity and improves real-world reliability.
• Back to our roots: Company update and future plans — Explosion is reverting to an independent, self-sufficient model, ensuring product stability and continuous tech updates.
• Publishing WASM wheels to PyPI for use with Pyodide — PyPI now directly supports WebAssembly (WASM) wheels for Pyodide, simplifying package distribution and reducing maintainer burden.
• 5 More Must-Know Python Concepts — Mastering advanced Python concepts like type hinting, functional tools, cooperative inheritance, pattern matching, and modern dependency management elevates code to professional standards.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.