For the project you want to build via lektor, or install lektor for.
Create a requirements.in file with the following content:
lektor
Add any other dependencies there.
Then create a requirements.txt file with the pinned hashes, remember to do it in a same environment, for
example using Python3.7 on Debian 10.
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pip-tools # This is being downloaded directly from PyPI.
pip-compile --generate-hashes --allow-unsafe --output-file=requirements.txt requirements.in
Commit the requiremnts.* files in your project.
Now, in the virtualenv you are actually installing the project, or say lektor, you can use the follwing command to verify that pinning is being used.
python -m pip install --require-hashes -r requirements.txt