pip-compile (pip-tools): Lock Command Reference
Compile loose requirements into a fully pinned, hashed lockfile.
pip-compile (from the pip-tools package) resolves a high-level requirements.in (or pyproject.toml) into a fully pinned requirements.txt. CI uses it to generate and verify a deterministic lock.
Common flags / usage
- pip-compile requirements.in -- write a pinned requirements.txt
- -o FILE -- choose the output file name
- --generate-hashes -- add integrity hashes for --require-hashes installs
- --upgrade -- re-resolve to the newest allowed versions
- --upgrade-package PKG -- bump only one package
Example
shell
- run: pip install pip-tools
- run: pip-compile --generate-hashes -o requirements.txt requirements.in
# Gate: fail if the committed lock is stale
- run: |
pip-compile --quiet -o /tmp/check.txt requirements.in
diff requirements.txt /tmp/check.txtIn CI
Commit the compiled requirements.txt and install it with pip install --require-hashes for a hardened, reproducible build. A diff gate catches a forgotten re-compile before merge.
Key takeaways
- pip-compile turns requirements.in into an exhaustively pinned requirements.txt.
- --generate-hashes enables tamper-evident --require-hashes installs.
- Diff a fresh compile against the committed lock as a CI staleness gate.
Related guides
pip install -r requirements.txt: Command ReferenceReference for pip install -r requirements.txt in CI: installing a whole dependency file, hashed installs, con…
pip freeze: Pin the Environment Command ReferenceReference for pip freeze in CI: snapshotting installed versions into requirements.txt, excluding editable/VCS…
uv pip install: Fast Installs Command ReferenceReference for uv pip install in CI: a fast, pip-compatible installer, shared flags, the must-target-an-enviro…