As mentioned previously, a requirements file, requirements.txt
, can be created to provide a list of packages to install all at once, via pip install -r requirements.txt
. The requirements file can specify specific or minimum versions, or simply specify the library name and the latest version will be installed.
It should be noted that files pulled from the requirements file aren't necessarily installed in a particular order. If you require certain packages to be installed prior to others, you will have to take measures to ensure that the installation is sequential, such as having multiple pip install
calls.
Requirements files can specify version numbers of packages explicitly. For example, two different modules (m1 and m2) both depend on a third module (m3). The module m1 requires m3 to be at least version 1.5, but m2 requires it to be no later than version 2.0; the current version of m3 is 2.3. In addition, the latest version of m2 (version 1.7) is known to contain a bug.
Hash digests can be used in requirements files to verify downloaded packages to guard against a compromise of the PyPI database or the HTTPS certificate chain. This is actually a good thing, as in 2017 ten Python libraries (https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/) uploaded to PyPI were found to be hosting malicious files.
Because PyPI does not perform any security checks or code auditing when packages are uploaded, it is actually very easy to upload malicious software.
Manually create
requirements.txt
by typing in the packages to include in the project. The following is an example from https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format:
FooProject == 1.2 --hash=sha256:<hash_digest>
- If there are module conflicts, or special versioning is needed, provide the first module required:
m1
- Indicate the second module, but ensure the version installed pre-dates the known bad version:
m2<1.7
- Provide the third module, ensuring it is at least equal to the minimum version required, but no greater than the maximum version that can be used:
m3>=1.5, <=2.0
While the preceding screenshot shows some version specifier requirements, here is an example showing some of the different ways to specify module versions in requirements.txt
:
flask flask-pretty == 0.2.0 flask-security <= 3.0 flask-oauthlib >= 0.9.0, <= 0.9.4
In this example, module m1
is specified as a requirement, but the version number doesn't matter; in this case, pip
will install the latest version. However, because of the bug in the latest version of m2
, an earlier version is specified to be installed. Finally, m3
must be a version between 1.5 and 2.0 to satisfy the installation. Naturally, if one of these conditions can't be met, the installation will fail and the offending library and version numbers will be displayed for further troubleshooting.
It's worth noting that pip
doesn't have true dependency resolution; it will simply install the first file specified. Thus, it is possible to have dependency conflicts or a sub-dependency that doesn't match the actual requirement. This is why a requirements file is useful, as it alleviates some dependency problems.
Verifying hashes also ensures that a package can't be changed without its version number changing as well, such as in an automated server deployment. This is an ideal situation for efficiency, as it eliminates the need for a private index server that maintains only approved packages.