Python Officially Unveils New Standard Lock File Format to Improve Security

Primary Python packaging tools are expected to adopt the new standard as their primary lock file format or export target, enhancing interoperability and reducing vendor lock-in throughout the Python ecosystem. The new format, named pylock.toml, addresses long-standing issues with dependency management by providing a standardized way to record exact package versions, file hashes, and installation sources to ensure reproducibility and enhance security. Python has officially standardized a lock file format with the acceptance of PEP 751 marking a significant milestone for the Python packaging ecosystem. The standardization comes as Python joins other language ecosystems like JavaScript (package-lock.json), Rust (Cargo.lock), and PHP (composer.lock) that already have established lock file formats. Brett Cannon, the author of PEP 751, notes that the standard “replaces PEP 665” and aims to unify the ecosystem around a single format that all tools can support. As stated in the PEP, “Having the installer do a resolution also simplifies their implementation, centralizing complexity in lockers,” which should lead to more robust tooling across the Python ecosystem. “The file format should promote good security defaults. Single-use files are similar to requirements.txt files and serve a specific purpose, while multi-use files represent multiple use cases within a single file through extras and dependency groups. The new standard introduces the concept of “lockers” (tools that write lock files) and “installers” (tools that install from lock files), allowing for a clear separation of concerns. As the format is not meant to be human-writable, this means having tools provide security-related details is reasonable and not a costly burden,” the PEP explains. This development for enterprises and security teams means better auditing capabilities, more reliable builds, and improved protection against dependency confusion attacks.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 08:30:06 +0000


Cyber News related to Python Officially Unveils New Standard Lock File Format to Improve Security

Python Officially Unveils New Standard Lock File Format to Improve Security - Primary Python packaging tools are expected to adopt the new standard as their primary lock file format or export target, enhancing interoperability and reducing vendor lock-in throughout the Python ecosystem. The new format, named pylock.toml, ...
2 months ago Cybersecuritynews.com
Python 2 EOL: Coping with Legacy System Challenges - Python 2.7 was the last major version in the 2.x series of this software language, which was launched on July 3, 2010 and was officially maintained and supported until January 1, 2020. At that point, when the Python 2 EOL phase began, the legacy ...
1 year ago Securityboulevard.com
CVE-2021-47038 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock ...
1 year ago Tenable.com
Choosing the Perfect Smart Lock for Your Home Security - Installing a smart lock on your home is like building a wall of protection around it. In this article, we will explore the benefits of using smart locks, different types of technology available, security features offered, factors to consider when ...
1 year ago Securityzap.com Meow
CVE-2025-21674 - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Attempt to enable IPsec packet offload in tunnel mode in debug kernel generates the following kernel panic, ...
4 months ago Tenable.com
CVE-2022-49441 - In the Linux kernel, the following vulnerability has been resolved: tty: fix deadlock caused by calling printk() under tty_port->lock pty_write() invokes kmalloc() which may invoke a normal printk() to print failure message. This can cause a deadlock ...
3 months ago Tenable.com
CVE-2024-54460 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_listen_bis This fixes the circular locking dependency warning below, by releasing the socket lock before enterning iso_listen_bis, to avoid ...
4 months ago Tenable.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
CVE-2024-54191 - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Fix circular lock in iso_conn_big_sync This fixes the circular locking dependency warning below, by reworking iso_sock_recvmsg, to ensure that the socket lock is ...
4 months ago Tenable.com
CVE-2024-26629 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
2 months ago Cybersecuritynews.com
CVE-2024-36003 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
DHS Awards UAA to Launch New ADAC-ARCTIC Center of Excellence - S&T will provide ADAC-ARCTIC $46 million over a 10-year cooperative agreement to establish this Research Center portfolio for Homeland Security in the Arctic. Vital insights from academic-led innovative research will help the Department of Homeland ...
1 year ago Americansecuritytoday.com
With the Right Support, Developers Can Lead Your Organization to Superior PCI-DSS 4.0 Compliance - The Payment Card Industry Data Security Standard version 4.0 will change almost everything about security for any business or organization that accepts electronic payments, which is a vast majority of them. Make no mistake, this update will be ...
1 year ago Feeds.dzone.com
CVE-2024-26775 - In the Linux kernel, the following vulnerability has been resolved: aoe: avoid potential deadlock at set_capacity Move set_capacity() outside of the section procected by (&d->lock). To avoid possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ...
1 year ago Tenable.com
Hackers Employ DLL Side-Loading To Deliver Malicious Python Code - DLL side-loading exploits the Windows DLL search order mechanism, where attackers place malicious DLL files in locations where legitimate applications will load them instead of the intended legitimate libraries. The technique enables attackers to ...
2 months ago Cybersecuritynews.com
Android to add new anti-theft and data protection features - Google is introducing multiple anti-theft and data protection features later this year, some available only for Android 15+ devices, while others will roll out to billions of devices running Android 10 and later. To protect your personal and ...
1 year ago Bleepingcomputer.com Snatch
WhatsApp Beta Testing Expanded Authentication Methods for App Lock Feature - In a world where privacy and security are increasingly important, WhatsApp continues to prioritize the protection of user data through encrypted messaging. Recently, the app has been testing a new label to highlight chat encryption, further ...
1 year ago Cysecurity.news
CVE-2024-26732 - In the Linux kernel, the following vulnerability has been resolved: net: implement lockless setsockopt(SO_PEEK_OFF) syzbot reported a lockdep violation [1] involving af_unix support of SO_PEEK_OFF. Since SO_PEEK_OFF is inherently not thread safe (it ...
1 year ago Tenable.com
CVE-2021-32807 - The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The ...
2 years ago
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
1 year ago Esecurityplanet.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
1 month ago Cybersecuritynews.com
SailPoint unveils two sets of new offerings to help companies grow their identity security program - SailPoint unveiled two sets of new offerings designed to give customers options as they build their identity program, while driving customer success throughout their identity journey. First, the company is extending the family of SailPoint Identity ...
1 year ago Helpnetsecurity.com
CVE-2024-43098 - In the Linux kernel, the following vulnerability has been resolved: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires &i3cbus->lock twice. See the log ...
4 months ago Tenable.com