What's new in pip 26.1: lockfiles and dependency cooldowns
TLDR
-
pip 26.1 adds native lockfile support via
pip lockand a--uploaded-prior-toflag for pinning dependencies to older versions.
Key Takeaways
-
pip lock <packages>installs dependencies and writes apylock.tomllockfile; locking datasette and llm produced a 519-line file. -
The
--uploaded-prior-to P<N>Dflag uses ISO duration format (days only) to request package versions uploaded before a given window. -
Example:
pip install llm --uploaded-prior-to P4Dreturned llm 0.30 instead of the 3-day-old 0.31 release. -
pip 26.1 drops Python 3.9 support; 3.9 reached end-of-life in October 2025, though macOS still ships it as the default
python3.
Why It Matters
- Native lockfiles close a long-standing gap: pip users previously needed separate tools like pip-tools or Poetry to get reproducible installs.
- The cooldown flag gives operators a simple supply-chain lever to avoid newly uploaded packages that have not yet been widely vetted.
-
Python 3.9 removal means macOS users relying on the system Python must explicitly install a newer version (e.g., via
uv python install 3.14) to use pip 26.1.
Simon Willison, Simon Willison’s Weblog · 2026-04-28 · Read the original
