support (language-specific) lockfiles #1311
Description
The most painfully missing feature in pre-commit is the lack of proper support for providing a lockfile for hooks, so that the dependencies installed in their associated environments are reproducible.
The best you can currently do with pre-commit is exclude already-known-bad versions using additional_dependencies, which is a poor workaround, since you only know about bad versions that have already been published, and can still pick up a new bad version of a transitive dependency at any time in the future (whenever a new bad version happens to be published).
(And in fact this recently caused CI to fail for teams across the world when ruamel.yaml published a new version, v0.19.0, on New Year's Eve, no less, which the millions of users of pre-commit-hooks picked up transitively, and suddenly their CI went from green to red with no changes to their own code due to "deployment issues" in 0.19.0 coupled with the "the lack of proper pinning" due to pre-commit's lack of support for lockfiles.)
Unfortunately the pre-commit maintainer either does not understand or does not care about this issue, as evidenced by his hiding this suggestion as "off-topic" when mentioned in the associated bug in the tracker (so you have to scroll up a little and click the "show comment" icon to read these relevant, 2-sentence-long comments):
- New version on ruamel.yaml breaks the build system pre-commit/pre-commit-hooks#1229 (comment)
- New version on ruamel.yaml breaks the build system pre-commit/pre-commit-hooks#1229 (comment)
If prek supported an optional way to specify (and better yet, first generate) a language-specific lockfile that it would use for a given hook when creating/updating its environment (e.g. in the pre-commit-hooks case, since it's a language: python hook, prek could accept a uv.lock file), it would avoid issues like everyone recently hit with ruamel.yaml, and SDLC teams like mine would be that much quicker to standardize on and migrate our entire firms to prek and off of pre-commit.
Thanks for your consideration!