Python pip requirements.txt lock file

piplock.sh

#!/usr/bin/env bash

CWD=$(pwd)
TMP_DIR=$1

if [[ $EUID -eq 0 ]]; then
   echo -e "${RED}x${NC} This script must not be run as root" 
   exit 1
fi
if [ -z $(which python3) ]; then
  echo "python3 not found"
  exit 1
fi
if [ -z $(which pip) ]; then
  echo "python3 pip not found"
  exit 1
fi
if [[ ! -f requirements.txt ]]; then
  echo "requirements.txt not found"
  exit 1
fi

if [[ -z "${TMP_DIR}" ]]; then
  TMP_DIR=/tmp/piplock.$(date +'%s%N')
fi
if [[ ! -z "$(which deactivate)" ]]; then
  deactivate
fi

mkdir -p ${TMP_DIR}
cd ${TMP_DIR}
python3 -m pip install -U pip
python3 -m pip install -U virtualenv
python3 -m venv .venv
source .venv/bin/activate
pip install -q -U --no-cache-dir --isolated --no-warn-conflict -r ${CWD}/requirements.txt
check=$(pip check --no-cache-dir --isolated)
check_exit=$?
if [[ $check_exit -ne 0 ]]; then
  echo ${check}
  exit 1
fi
LOCK="$(pip freeze)"
deactivate
cd ${CWD}
rm -rf ${TMP_DIR}
echo ${LOCK}

Overview

If you are familiar with Node.js package lock files you might have asked if Python Pip can provide the same functionality and learned that you must painstakingly write out the packages and their whole dependency tree of packages yourself, and lock the version using == of these.

This script automates that painstaking process.

Example - locking requests dependency

It is as easy, get the script

wget -q https://gist.githubusercontent.com/chrisdlangton/905a14e7a42118e0d6b5a45c8ce1d3a0/raw/f0916b0b99187a9e839146fbd4e3d5bc26e5d97a/piplock.sh -O piplock.sh && chmod a+x piplock.sh && mv piplock.sh /usr/local/bin/piplock

assume simple requirements;

mkdir -p test-piplock; cd test-piplock
echo -e "retry\nrequests" > requirements.txt

Running piplock produces;

certifi==2020.6.20
chardet==3.0.4
decorator==4.4.2
idna==2.10
py==1.9.0
requests==2.24.0
retry==0.9.2
urllib3==1.25.10

Enjoy!