Pipfile.lock includes hashes for every package, protecting your project from "dependency confusion" or compromised packages being injected during the install process.
[[source]] url = "https://pypi.org/simple" verify_ssl = true name = "pypi" Pipfile
your-project / \ / \ package-A package-B needs X>=2.0 needs X<2.5 \ / \ / package-X (which version?) Pipfile.lock includes hashes for every package
my-package = path = "./path/to/local/package", editable = true =2.0 needs X<