Fast and safe dependency management for Python applications.

Supports Linux and OS X.

Motivation

The de-facto standard way to keep track of Python dependencies is with a requirements.txt file, listing the required packages and specifying what versions of them can be used. There are two strategies for specifying versions in a requirements.txt file: adding only the top-level dependencies and constraints you know to be necessary, or adding every recursive dependency and pinning them to specific versions you know work. The first strategy makes installing dependencies non-repeatable. The second makes upgrading difficult, and is hard to manage with standard python tools.

Dotlock enables you to do both: keep track of top-level requirements and known constraints in package.json , and generate repeatable requirement sets in package.lock.json by running a single command: dotlock lock .

Dotlock is partly inspired by pipenv, which also provides dependency-locking functionality. However, dotlock has a different philosophy: instead of acting as a wrapper around pip, dotlock handles package resolution natively. This gives dotlock more flexibility, better performance, and a smaller surface area for bugs, but at the cost of the wide platform and package support the pip developers have put so much work into. This should make dotlock better for deploying to common environments such as linux servers with common packages, but there will always be edge cases of platforms or packages it does not support.

Dotlock’s main goals are: