Sorry Python but it is what it is.
How is it not a lock file?
package.json doesn’t contain the exact version number of all downstream dependencies, this does
Would that just create a list of the current packages/versions without actually locking anything?
Would that just create a list of the current packages/versions
Yes, and all downstream dependencies
without actually locking anything?
What do you mean? Nothing stops someone from manually installing an npm package that differs from package-lock.json - this behaves the same. If you pip install -r requirements.txt
it installs the exact versions specified by the package maintainer, just like npm install
the only difference is python requires you to specify the “lock file” instead of implicitly reading one from the CWD
That’s pipenv. Pip just has the capability to read and write from a requirements.txt, which is a step that must be taken manually