
Product
Introducing License Overlays: Smarter License Management for Real-World Code
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Trevor Norris
June 5, 2025
At Socket, we're committed to securing the software supply chain by providing comprehensive protection against dependency vulnerabilities and malicious packages. Today, we're excited to announce support for pylock.toml
files, the new standardized Python lock file format defined by PEP 751 that is rapidly gaining adoption in the ecosystem. This addition ensures Python developers using the latest ecosystem standards can benefit from Socket's advanced security scanning while maintaining reproducible, secure builds.
Python's packaging ecosystem has long struggled with fragmentation across different dependency management tools. While Poetry has poetry.lock
, PDM uses pdm.lock
, and uv employs uv.lock
, there hasn't been a universal standard—until now. PEP 751 introduces pylock.toml
as the official standardized lock file format for Python, bringing the ecosystem closer to the unified approaches seen in other languages like JavaScript's package-lock.json
.
Unlike traditional requirements.txt
files that can produce different results across environments, pylock.toml
provides:
The security implications of standardized lock files cannot be overstated. Traditional Python dependency management often left teams vulnerable to several attack vectors:
pip install
at different times could pull different dependency versionsrequirements.txt
was entirely opt-inSocket's implementation of pylock.toml
support reflects our deep understanding of Python packaging complexities. Unlike lock files that contain complete dependency graphs (such as uv.lock
), pylock.toml
files only specify exact version constraints without dependency relationships. This fundamental difference required us to implement a sophisticated approach.
When Socket detects a pylock.toml
file in your project:
pylock.toml
becomes the authoritative source for all dependencies, preventing dependency bloatpylock.toml
and pyproject.toml
to accurately identify direct vs. transitive dependenciesThis approach ensures that Socket's analysis remains accurate while respecting the security constraints defined in your lock file.
Socket's integration with pylock.toml
enhances our ability to protect your Python projects:
Socket continues to provide protection against our full range of supply chain threats when using pylock.toml
:
If you're ready to adopt pylock.toml
for enhanced security and reproducibility, here's how to get started:
If you're currently using pip with a requirements.txt
file:
# Install pip 25.1 or later
pip install --upgrade pip
# Generate pylock.toml from your requirements
pip lock -r requirements.txt -o pylock.toml
Poetry users can export to pylock.toml
format (requires Poetry with PEP 751 support):
# Export current lock file to pylock.toml
poetry export --format pylock -o pylock.toml
PDM has native support for exporting to pylock.toml
:
# Export to pylock.toml format
pdm export -f pylock -o pylock.toml
uv users can export their lock files:
# Export uv.lock to pylock.toml
uv export --format pylock.toml
Socket's pylock.toml
support requires a pyproject.toml
file to be present in your project. This requirement ensures we can accurately distinguish between direct and transitive dependencies, maintaining the integrity of your dependency graph analysis.
Combining pylock.toml
with Socket's security platform provides multiple advantages:
With exact versions locked, Socket can provide consistent security assessments across all environments. Your CI/CD pipeline, development machines, and production deployments all use identical dependencies.
Standardized lock files enable Socket to quickly identify when you're using vulnerable package versions, without needing to resolve complex dependency trees at scan time.
For teams with security compliance requirements, pylock.toml
provides an auditable record of exact dependencies, while Socket's scanning ensures those dependencies remain secure.
As the Python ecosystem converges on pylock.toml
as the standard, Socket's support ensures your security tooling remains compatible with evolving best practices.
To maximize security when using pylock.toml
with Socket:
pylock.toml
and pyproject.toml
in version controlpylock.toml
includes cryptographic hashes for all packagesThe standardization of Python lock files through PEP 751 represents a major step forward for supply chain security. By adding pylock.toml
support, Socket ensures that Python developers can adopt these new standards without sacrificing the comprehensive security protection they rely on.
As more tools adopt pylock.toml
, we expect to see improved interoperability across the Python ecosystem. Socket will continue to evolve our support, ensuring that regardless of which Python packaging tools you choose, your dependencies remain secure.
If you're already using Socket, your pylock.toml
files will be automatically detected and analyzed in your next scan. For new users, you can:
pylock.toml
file using your preferred toolSubscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.
Product
Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.