Python

PEP 751 Review: The New Standard for Python Dependency Management

A standardized file format solves fragmentation, ensures cross-tool compatibility, and enforces security

Image from Wallhaven

Dependency management remains one of Python’s biggest pain points.

Today, developers juggle multiple lock files— Poetry’s poetry.lock, pip’s requirements.txt, PDM’s pdm.lock, and uv’s uv.lock — none of them interoperate.

This messy ecosystem has many problems:

Fragmented lock-file landscape

• Multiple formats and files across tools like Poetry, PDM, uv, and pip.
• No universal parser — we must choose one tool from the start, risking vendor lock-in.
• Every tool has its own standards, we have to keep learning and adapting. Pip is the basic one; Poetry was popular for a while; and uv, the Rust-based tool, is a superstar now.

Inconsistent security defaults

• Hashes, upload timestamps, and source URLs for the packages are often optional, making supply-chain attacks harder to detect.
• Auditing requires manual effort or third-party plugins.