Socket Now Supports pylock.toml Files

At Socket, we're committed to securing the software supply chain by providing comprehensive protection against dependency vulnerabilities and malicious packages. Today, we're excited to announce support for pylock.toml files, the new standardized Python lock file format defined by PEP 751 that is rapidly gaining adoption in the ecosystem. This addition ensures Python developers using the latest ecosystem standards can benefit from Socket's advanced security scanning while maintaining reproducible, secure builds.

The Python Lock File Revolution#

Python's packaging ecosystem has long struggled with fragmentation across different dependency management tools. While Poetry has poetry.lock, PDM uses pdm.lock, and uv employs uv.lock, there hasn't been a universal standard—until now. PEP 751 introduces pylock.toml as the official standardized lock file format for Python, bringing the ecosystem closer to the unified approaches seen in other languages like JavaScript's package-lock.json.

Unlike traditional requirements.txt files that can produce different results across environments, pylock.toml provides:

• Exact version pinning: Every dependency is locked to a specific version
• Mandatory cryptographic hashes: Security isn't optional—every package must include verification hashes
• Cross-platform reproducibility: The same lock file works consistently across different operating systems
• Tool interoperability: A single format that multiple tools can read and write

Why pylock.toml Matters for Security#

The security implications of standardized lock files cannot be overstated. Traditional Python dependency management often left teams vulnerable to several attack vectors:

Before pylock.toml:

• Non-deterministic installs: Running pip install at different times could pull different dependency versions
• Optional security: Hash verification in requirements.txt was entirely opt-in
• Tool lock-in: Security tools had to support multiple proprietary formats
• Audit complexity: Different lock file formats made comprehensive security scanning challenging

With pylock.toml:

• Deterministic builds: Every install uses exactly the same package versions
• Mandatory hash verification: Cryptographic integrity checking is built into the format
• Standardized security metadata: One format for all security tools to analyze
• Supply chain protection: Exact version locking prevents dependency confusion attacks

How Socket Handles pylock.toml Files#

Socket's implementation of pylock.toml support reflects our deep understanding of Python packaging complexities. Unlike lock files that contain complete dependency graphs (such as uv.lock), pylock.toml files only specify exact version constraints without dependency relationships. This fundamental difference required us to implement a sophisticated approach.

Our Implementation Strategy

When Socket detects a pylock.toml file in your project:

1. Exclusive processing: The pylock.toml becomes the authoritative source for all dependencies, preventing dependency bloat
2. Metadata enrichment: We fetch complete dependency information from PyPI to construct the full dependency graph
3. Direct dependency detection: We analyze both pylock.toml and pyproject.toml to accurately identify direct vs. transitive dependencies
4. Wheel constraint enforcement: We ensure only the exact wheel files specified in your lock file are processed

This approach ensures that Socket's analysis remains accurate while respecting the security constraints defined in your lock file.

Enhanced Security Analysis#

Socket's integration with pylock.toml enhances our ability to protect your Python projects:

Real-Time Threat Detection

• Exact version monitoring: We know precisely which package versions you're using, enabling more accurate vulnerability detection
• Hash verification: Socket validates that packages match their expected cryptographic signatures
• Behavioral analysis: Our engine analyzes the exact versions specified in your lock file for suspicious patterns

Comprehensive Protection

Socket continues to provide protection against our full range of supply chain threats when using pylock.toml:

• Malware and backdoors
• Typosquatting attempts
• Hidden code and obfuscated logic
• Network anomalies and data exfiltration
• Permission creep and capability expansion
• Plus 70+ additional security signals

Migrating to pylock.toml#

If you're ready to adopt pylock.toml for enhanced security and reproducibility, here's how to get started:

From pip/requirements.txt

If you're currently using pip with a requirements.txt file:

# Install pip 25.1 or later
pip install --upgrade pip

# Generate pylock.toml from your requirements
pip lock -r requirements.txt -o pylock.toml

From Poetry

Poetry users can export to pylock.toml format (requires Poetry with PEP 751 support):

# Export current lock file to pylock.toml
poetry export --format pylock -o pylock.toml

From PDM

PDM has native support for exporting to pylock.toml:

# Export to pylock.toml format
pdm export -f pylock -o pylock.toml

From uv

uv users can export their lock files:

# Export uv.lock to pylock.toml
uv export --format pylock.toml

Important Notes

Socket's pylock.toml support requires a pyproject.toml file to be present in your project. This requirement ensures we can accurately distinguish between direct and transitive dependencies, maintaining the integrity of your dependency graph analysis.

Benefits of Using pylock.toml with Socket#

Combining pylock.toml with Socket's security platform provides multiple advantages:

1. Deterministic Security Scanning

With exact versions locked, Socket can provide consistent security assessments across all environments. Your CI/CD pipeline, development machines, and production deployments all use identical dependencies.

2. Faster Vulnerability Detection

Standardized lock files enable Socket to quickly identify when you're using vulnerable package versions, without needing to resolve complex dependency trees at scan time.

3. Simplified Compliance

For teams with security compliance requirements, pylock.toml provides an auditable record of exact dependencies, while Socket's scanning ensures those dependencies remain secure.

4. Future-Proof Security

As the Python ecosystem converges on pylock.toml as the standard, Socket's support ensures your security tooling remains compatible with evolving best practices.

Best Practices#

To maximize security when using pylock.toml with Socket:

1. Always commit your lock files: Include both pylock.toml and pyproject.toml in version control
2. Regular updates: Periodically regenerate your lock file to capture security updates
3. Verify hashes: Ensure your pylock.toml includes cryptographic hashes for all packages
4. Use Socket CLI: Integrate Socket's CLI tools in your development workflow for immediate feedback
5. Monitor continuously: Enable Socket's GitHub/GitLab integration for automated PR checks

Looking Forward#

The standardization of Python lock files through PEP 751 represents a major step forward for supply chain security. By adding pylock.toml support, Socket ensures that Python developers can adopt these new standards without sacrificing the comprehensive security protection they rely on.

As more tools adopt pylock.toml, we expect to see improved interoperability across the Python ecosystem. Socket will continue to evolve our support, ensuring that regardless of which Python packaging tools you choose, your dependencies remain secure.

Get Started Today#

If you're already using Socket, your pylock.toml files will be automatically detected and analyzed in your next scan. For new users, you can:

1. Sign up for a free Socket account
2. Connect your repository
3. Generate a pylock.toml file using your preferred tool
4. Push your changes and watch Socket analyze your dependencies