v3.0.0

What's Changed

Conda-lock v3 introduces support for mamba / micromamba v2, and includes several important bugfixes.

Only mamba / micromamba versions <2 or >=2.0.7 are supported. (2.0.0–2.0.6 are incompatible.) To see which executable conda-lock is detecting, you can add the argument --log-level=DEBUG.

The only intended breaking change is to require at least Python 3.9 (previously 3.8). There are several major underlying changes to be aware of:

• The PyPI solver has been updated to Poetry v2.0.1. (#637, #678, #685, #769)
• Lockfiles now support dependencies with multiple categories. (#697)

pixi

Pixi is an innovative new tool for Conda projects that includes lockfile support. While the project-centric philosophy of pixi is different from the environment-centric approach of conda-lock, in many cases it offers a compelling alternative to conda-lock. For a discussion of conda-lock vs pixi, see #615.

Conda-lock v3 includes a new render-lock-spec subcommand capable of exporting conda-lock lock specifications (including ordinary pyproject.toml files) to pixi.toml configurations. See the pixi migration guide for more information.

Detailed changelog

New features

• Support Multiple Categories for Sub-Dependencies in Lockfile (Rebase #390) by @srilman in #697
• Sort BaseLockedDependency.dependencies when alpha-sorting a Lockfile by @peterbygrave in #654
• Add support for PEP 508 environment markers by @maresb in #684
• Improve loading of PyPI mapping by @maresb in #690
• Add render-lock-spec subcommand for exporting lock specification to pixi.toml by @maresb in #664
• Add pixi.toml configuration by @maresb in #705, #706
• Support Micromamba v2 by @maresb in #713, #717, #723, #720, #721, #788
• Add/improve support for Path dependencies and GIT dependencies by @romain-intel in #712
• Add --force-platform to conda-lock install command. by @jezdez in #753
• Add environment variables for conda/mamba/micromamba by @maresb in #760

Bugfixes

• Fix parsing of Poetry's caret and tilde dependencies by @maresb in #679, #683, #714
• Refactor lock command and fix an edge case by @maresb in #695
• Fix erroneous PyPI to Conda dep name conversion for PyPI deps by @maresb in #701, #704
• Fix KeyError: 'pkgs_dirs' by @maresb in #733
• Minor bugfix: don't truncate the extension in conda-meta filenames by @maresb in #744
• Add --quiet flag in conda command to disable progress bar by @maresb in #756
• Fix an issue that caused transitive dependencies to not have categories by @romain-intel in #768
• Use build_string in build field in fake package by @RSchwan in #776
• Log stderr warnings as warnings by @maresb in #772
• Fix race condition with lookup cache by @maresb in #785

Documentation

• Clarify that existing lockfiles are used for relocking by @sfinkens in #632
• Correct mistake in basic usage documentation by @sfinkens in #647
• Create a basic pixi migration guide by @maresb in #708

Maintenance

• Update Poetry to 2.0.1 by @romain-intel in #637, #678, #685, #769
• Update GHA release workflow to use trusted publishing / OIDC by @maresb in #631, #700
• Replace logger.warn w/ logger.warning by @zklaus in #646
• Fix failing mypy check by @maresb in #648
• Do a strict pkg meta check @ release CD workflow by @webknjaz in #657
• Log the solve command (DEBUG) by @maresb in #662
• Show default values in CLI by @maresb in #661
• Fix vulnerable version of black in test by @maresb in #680
• Update .gitignore for pixi by @maresb in #681
• Split virtual-package repo from LockSpecification by @maresb in #663
• Add vendoring script by @maresb in #682
• Add integration tests by @maresb in #686
• Collect test duration data for various runner configurations by @maresb in #687
• Use a quicker example for the channel-inversion test by @maresb in #688
• Split tests into multiple runners with pytest-split by @maresb in #689
• Simplify pytest GHA workflow by @maresb in #691
• Fix test that fails when cache is deleted by @maresb in #694
• Reduce Ubuntu and MacOS runners from 4 to 3 by @maresb in #696
• Code migrations for Pydantic v2 by @maresb in #692
• Revendor conda by @maresb in #699
• Install conda-lock with pipx in integration tests for better isolation by @maresb in #698
• Refactor to make mapping url explicit and eliminate LookupLoader by @maresb in #703
• Echo bash commands during integration test by @maresb in #711
• Use JSON version of the default PyPI mapping by @maresb in #715
• Improve error message when update fails due to channel conflict by @maresb in #735
• More refactoring of lookup module by @maresb in #738
• Fix deprecation warnings by @maresb in #740
• Fix missing codecov token by @maresb in #745
• Use PAT for PRs when updating lockfile by @maresb in #752
• Channel cleanup by @maresb in #747
• Update miniconda Docker image to use the maintained one. by @jezdez in #755
• Allow to call conda-lock -h (argparse default) instead of conda-lock --help by @basnijholt in #765
• Fix new CI failures by @maresb in #773
• Minor improvements to tests and logging by @maresb in #787
• Generate lockfiles for separate Python versions and test accordingly by @maresb in #789
• Refactor to eliminate code duplication in test by @maresb in #790

New Contributors

• @zklaus made their first contribution in #646
• @peterbygrave made their first contribution in #654
• @webknjaz made their first contribution in #657
• @RSchwan made their first contribution in #776

Full Changelog: v2.5.7...v3.0.0

v2.5.8

What's Changed

Important

This is a backport of a few bugfixes from the v3 release into v2. Most users should instead install conda-lock v3.

• Fix KeyError: 'pkgs_dirs' by @maresb in #733
• Log stderr warnings as warnings by @maresb in #772
• Fix type errors and restrict to mamba<2 by @maresb in #791
• Update GHA release workflow to use trusted publishing / OIDC by @maresb in #631, #700

Full Changelog: v2.5.7...v2.5.8

v2.5.7

This is a bugfix release that fixes a few edge cases. The first issue involves corrupt channel URLs when updating with micromamba. For the second, conda-lock would fail to parse pip lines containing --hash.

What's Changed

Bugfix

• Fix conda-lock --update --micromamba by @maresb in #626
• Add support for pip hash checking by @sfinkens in #629

Maintenance

• Fix mypy precheck failures by @benmoss in #628

New Contributors

• @benmoss made their first contribution in #628
• @sfinkens made their first contribution in #629

Full Changelog: v2.5.6...v2.5.7

v2.5.6

What's Changed

This release fixes a bug where the content hash may not be updated correctly.

Also fixed is a spurious --file argument to the conda-lock install command suggested in the lockfile header.

Bugfix

• Ensure that content hashes are updated for an existing lock file when re-locking by @jeffseif in #618
• Update header cmdlines in generated lockfiles (#518) by @timsnyder in #616

Infrastructure

• Clean up gdal tests by @maresb in #605

New Contributors

• @timsnyder made their first contribution in #616
• @jeffseif made their first contribution in #618

Full Changelog: v2.5.5...v2.5.6

v2.5.5

What's Changed

This is a bugfix so that conda-lock can work in environments where setuptools is not preinstalled.

Bugfix

• Add explicit setuptools dependency by @maresb in #608

Infrastructure

• General infrastructure cleanup by @maresb in #606

Full Changelog: v2.5.4...v2.5.5

v2.5.4

What's Changed

⚠️ If you use private pip repositories, then check your lockfiles for leaked credentials and upgrade as soon as possible! ⚠️

This release fixes #594 which involves credentials leaking into lockfiles when using certain private pip repositories like AWS CodeArtifact. Specifically, some servers may echo the basic authentication credentials in their response. Conda-lock previously failed to sanitize these echoed credentials when writing the lockfile. This was identified and fixed by @wholtz in #594 and #600.

Bugfix

• Remove credentials from response URLs by @wholtz in #600
• Fix broken --pypi_to_conda_lookup_file option by @ianpye in #588

New feature

• The PyPI mapping can now be specified as a local file (in addition to an http[s] URL) by @maresb in #588

Infrastructure

• Save mock private pypi package to temp directory by @maresb in #601
• Minor improvements to pytest configuration by @maresb in #602
• Improve docs related to contribution by @maresb in #603
• Catch CalledProcessErrors from both subprocess and Poetry by @maresb in #604
• Add explanation and minor improvement to #581 by @tadeu in #586

New Contributors

• @wholtz made their first contribution in #600
• @ianpye made their first contribution in #588

Full Changelog: v2.5.3...v2.5.4

v2.5.3

This release fixes #596 and now works with the recent ensureconda release which removed disttools and enabled Python 3.12 compatibility.

What's Changed

• Increase minimum ensureconda version for py3.12 compatibility by @jfrost-mo in #597

New Contributors

• @jfrost-mo made their first contribution in #597

Full Changelog: v2.5.2...v2.5.3

v2.5.2

What's Changed

This is primarily a bugfix release.

It also improves the formatting of environment.yml-style lockfiles (those produced with --kind=env).

Bugfixes

• Fix case when using multiple platforms but pip contains a single platform by @basnijholt in #564
• Fix an issue when specifying full wheel URLs for a pypi package. by @romain-intel in #567
• Make the Python resolver respect any __glibc constraint by @romain-intel in #566
• Avoid I/O deadlock with conda by @tadeu in #581

Lockfile formatting enhancements

• alphasort env files by @jamesmyatt in #557
• Synchronize pip indentation with conda env export by @jamesmyatt in #573

Maintenance / infrastructure

• Don't filter in toposort by @maresb in #560
• Test to make sure virtual packages aren't included in lockfiles by @maresb in #583
• Test on Python 3.12 by @maresb in #585
• Reenable testing with Conda by @maresb in #584

Docs

• add search to docs site by @harelwa in #575
• Fix typo in flags.md by @IsaacWarren in #576

New Contributors

• @basnijholt made their first contribution in #564
• @jamesmyatt made their first contribution in #557
• @harelwa made their first contribution in #575
• @IsaacWarren made their first contribution in #576
• @tadeu made their first contribution in #581

Full Changelog: v2.5.1...v2.6.0

v2.5.1

What's Changed

This fixes a bug where virtual packages were being included in unified lockfiles. (They should have been filtered out.) This can lead to warnings and/or errors during installation as reported in #556.

Bugfix

• Filter virtual packages by @maresb in #558

Full Changelog: v2.5.0...v2.5.1

v2.5.0

What's Changed

Unified lockfiles (i.e. conda-lock.yml) are now generated with the packages listed in alphabetical order. (In earlier versions, packages were sorted in "topological order", meaning that if packages are installed in the given order then their dependencies will always be satisfied.) Alphabetical ordering should be more stable, making it easier for humans to read diffs between lockfiles.

The precise ordering of packages is as follows. Conda packages are always listed before pip packages. Then packages are sorted alphabetically by package name. If multiple platforms are being locked, then packages with the same name are ordered by platform name.

New features

• Alphabetize the lockfile by @mariusvniekerk in #524

Bugfix

• Fix spurious conda-lock install warning and increase coverage of install command by @maresb in #547

Infrastructure

• Fix vulnerable pyarrow version in test by @maresb in #553

Full Changelog: v2.4.2...v2.5.0