Lock dependencies in wheels #5
Description
Currently, the Hatch plugin produces wheels with standard METADATA files whose Requires-Dist fields are copied directly from the project's pyproject.toml. That is, they don't include any version lock information from uv.lock.
I considered adding a version-lock: bool option and optionally adding the lock information to the wheel. However, afaik they don't support hash/file locking. It seems a pity for uv to do all this careful housekeeping and then to throw it away where it actually matters - in production.
You can't pip install foo.whl --constrain=constraints.lock (where the lockfile has hashes) because then it will expect a hash for the wheel itself as well.
So this is the usual workaround:
- Build a wheel
- Create a lockfile (NB: you need
uv>=0.4.1for this):
# uv will resolve the graph of transitive dependencies
uv export --format=requirements-txt --package=appname --no-dev > requirements.txt- Install the requirements before the wheel in your Dockerfile or wherever:
pip install -r requirements.txt
pip install foo.whl --no-deps