What’s new in pip 26.1 - lockfiles and dependency cooldowns! (https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/)

Richard Si describes an excellent set of upgrades to Python’s default pip tool for installing dependencies.

This version drops support for Python 3.9 - fair enough, since it’s been EOL since October (https://devguide.python.org/versions/). macOS still ships with python3 as a default Python 3.9, so I tried out the new Python version against Python 3.14 like this:

uv python install 3.14 mkdir /tmp/experiment cd /tmp/experiment python3.14 -m venv venv source venv/bin/activate pip install -U pip pip –version

This confirmed I had pip 26.1 - then I tried out the new lock files:

pip lock datasette llm

This installs Datasette and LLM and all of their dependencies and writes the whole lot to a 519 line pylock.toml file - here’s the result (https://gist.github.com/simonw/ff52c33f4d3a381b8e53c6a3aa0213f8).

The new release also supports dependency cooldowns, discussed here previously (https://simonwillison.net/2026/Mar/24/package-managers-need-to-cool-down/), via the new –uploaded-prior-to PXD option where X is a number of days. The format is P-number-of-days-D, following ISO duration format (https://en.wikipedia.org/wiki/ISO_8601#Durations) but only supporting days.

I shipped a new release of LLM, version 0.31, three days ago (https://simonwillison.net/2026/Apr/24/llm/). Here’s how to use the new –uploaded-prior-to P4D option to ask for a version that is at least 4 days old.

pip install llm –uploaded-prior-to P4D venv/bin/llm –version

This gave me version 0.30.

Via Lobste.rs (https://lobste.rs/s/w2oiaq/what_s_new_pip_26_1_lockfiles_dependency)

Tags: packaging (https://simonwillison.net/tags/packaging), pip (https://simonwillison.net/tags/pip), python (https://simonwillison.net/tags/python), security (https://simonwillison.net/tags/security), supply-chain (https://simonwillison.net/tags/supply-chain)