pip 26.1 ships lockfiles and dependency cooldowns

Python’s default package installer gets two long-requested capabilities in 26.1. The new pip lock command resolves a dependency tree and writes it to a pylock.toml file — Simon Willison’s test on datasette llm produced a 519-line lockfile capturing every transitive dependency. This brings pip closer to feature parity with tools like uv and Poetry, which have offered deterministic lockfiles for years.

The second addition is dependency cooldowns via --uploaded-prior-to PXD, where X is a number of days in ISO duration format. Passing --uploaded-prior-to P4D forces pip to ignore any package version uploaded in the last four days, giving teams a built-in defence against freshly compromised or accidentally broken releases hitting their builds. The release also drops Python 3.9 support, which reached EOL in October.

For supply-chain risk management, the cooldown flag is the more consequential change. Several recent PyPI incidents — including malicious package takeovers — have been caught and removed within days of upload, so a default install delay turns the broader community’s vigilance into a passive defence layer for any project that opts in.