Hey folks, is there a way to have pants use locked dependencies for a

python_distribution

?

I don't think any library python distribution formats have the ability to specify locks; it's not normally what you want from wheel or sdist. Usually you leave version locking up to the application packager

Yeah, in this case the packager is us, but the distribution method is

pip install

. I'm open to anything that lets us specify exact versions. Currently we use pants to generate a poetry-style lockfile and then use

pip-compile

to write that to a file and then slurp that file in

setup.py

, which is gross, but it would be great if I could have pants replace all of that in a

python_distribution

Hi! +1 to Josh. Pants uses the requirement strings from the

python_requirement

targets (which usually come from a

requirements.txt

) to set up

install_requires

. Generally, Python distributions don't have a mechanism for locks, outside of pants So the best you can do is pin the version of every dependency to an exact version. Although that can make using the distribution really brittle

is the lockfile format used by `generate_lockfiles`/`lock` usable in this case? I haven't interacted with it so I don't know what kinda format it is or anything

Ok, thanks for the clarification. Pinning exact versions would be fine. This is an application, so there aren't consumers to be very annoyed.

generate_lockfiles

is usable for version-pinning dependencies (with some finessing). But it doesn't look like there's an out-of-the-box way to get Pants to version-pin our dependencies in a python_distribution. We'll be fine continuing to use the setup.py. Thanks for your help!

yeahI don't think

generate-lockfiles

would help here. it doesn't impact what metadata the distribution is built with

the PEX-native lockfile which is produced by default with

generate-lockfiles

is sufficient to later consume in a distribution, in the sense that the lockfile specifies a universe of valid deps.