@deltamarnix mentioned that an SBOM (Software Bill of Materials) is a requirement for a stable or GA release. He suggested using sbom4python. This has a limitation that version numbers need to be pinned, and that it uses a requirement.txt file. Alternative is this one or this one.

What I dislike about this is that they all appear to be looking through PyPI instead of conda-forge, where we fetch most of our packages from. Furthermore, we have the pixi.lock file, which I guess should have pretty much all required info already? It seems generating SBOMs for packages on conda-forge is not something many people have invested time in. Apparently Anaconda has a payed version where you can generate SBOM for your package (on the default conda channel) https://engineering.anaconda.com/2022/04/sboms-at-anaconda.html.