DP002: HasLockfile

Overview

Property	Value
ID	DP002
Name	HasLockfile
Group	dependencies
Severity	NOTE

Description

Checks for a lockfile that pins exact dependency versions.

Lockfiles ensure reproducible builds by recording:

• Exact versions of all dependencies
• Transitive dependencies
• Hashes for verification

What it checks

The check looks for any of these lockfiles:

• uv.lock (uv)
• poetry.lock (Poetry)
• pdm.lock (PDM)
• Pipfile.lock (Pipenv)
• requirements.lock (pip-tools)
• requirements.txt (pip freeze)

How to fix

Using uv (recommended)

uv lock

This creates uv.lock with all pinned versions.

Using Poetry

poetry lock

Using pip-tools

pip-compile --generate-hashes -o requirements.lock

Using pip freeze

pip freeze > requirements.txt

Note: Plain requirements.txt is less ideal than proper lockfiles.

Why use lockfiles?

Benefit	Description
Reproducibility	Same versions on every install
Security	Hash verification prevents tampering
Debugging	Know exact versions when issues occur
CI/CD	Consistent builds across environments

Why NOTE severity?

This check is a NOTE because:

• Libraries may not need lockfiles (applications do)
• Some workflows use different approaches
• Contributors may regenerate locks anyway

Configuration

Skip this check

[tool.pycmdcheck]
skip = ["DP002"]

CLI

pycmdcheck --skip DP002

Related checks

• DP001 - NoPinnedDependencies