dephash
Production installs sometimes call for pinning package versions; hash checking adds to the security and stability of those installs. pip >= 8.0.0
allows for checking package hashes through requirements files. However, it's easy for requirements to fall out of date, and it's a hassle to test other versions of packages.
With dephash
, a permissive requirements-dev.txt
can be transformed into a fully version-pinned, hashed requirements-prod.txt
.
Usage
# Generate pinned+hashed requirements-prod.txt
dephash [-v] [-l,--logfile LOGFILE] gen requirements-dev.txt > requirements-prod.txt
# Check for outdated packages in PATH, where PATH is a virtualenv or requirements file
dephash [-v] [-l,--logfile LOGFILE] outdated PATH