Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Get Python Requirements Package Hashes

By David Walsh on May 15, 2017

Python's (pip's) requirements.txt file is the equivalent to package.json in the JavaScript / Node.js world. This requirements.txt file isn't as pretty as package.json but it not only defines a version but goes a step further, providing a sha hash to compare against to ensure package integrity:

Flask==0.12.1 \
    --hash=sha256:6c3130c8927109a08225993e4e503de4ac4f2678678ae211b33b519c622a7242
Jinja2==2.9.6 \
    --hash=sha256:2231bace0dfd8d2bf1e5d7e41239c06c9e0ded46e70cc1094a0aa64b0afeb054
MarkupSafe==1.0 \
    --hash=sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665

....

Coming from the JavaScript / package.json world, you only need to provide the package name and version. To get the hash of a python package, you can use hashin. The first step is installing hashin:

pip install hashin

Once hashin is installed, you can get the package hash easily:

hashin Flask==0.12.1

The code above adds the package name, version, and available hashes to your requirements.txt file automatically. Unfortunately I'm not aware of a method for recursive hashin checks, so if a package dependency doesn't use hashes, you'll need to run hashin for each of those packages manually.

Recent Features

By David WalshNovember 26, 2012
Animated 3D Flipping Menu with CSS
CSS animations aren't just for basic fades or sliding elements anymore -- CSS animations are capable of much more. I've showed you how you can create an exploding logo (applied with JavaScript, but all animation is CSS), an animated Photo Stack, a sweet...
By David WalshApril 15, 2015
fetch API
One of the worst kept secrets about AJAX on the web is that the underlying API for it, XMLHttpRequest, wasn't really made for what we've been using it for. We've done well to create elegant APIs around XHR but we know we can do better. Our effort to...

Incredible Demos

By David WalshMarch 30, 2009
MooTools Flashlight Effect
Another reason that I love Twitter so much is that I'm able to check out what fellow developers think is interesting. Chris Coyier posted about a flashlight effect he found built with jQuery. While I agree with Chris that it's a little corny, it...
By David WalshJune 29, 2009
Highlighter: A MooTools Search & Highlight Plugin
Searching within the page is a major browser functionality, but what if we could code a search box in JavaScript that would do the same thing? I set out to do that using MooTools and ended up with a pretty decent solution. The MooTools JavaScript Class The...

Discussion

Peter Bengtsson
I think in your second snippet you mean hashin Flask==0.12.1.

Also, hashin works by just specifying the package name. It’ll then install the latest version. E.g. hashin Flask.

David Walsh
Yep, my bad! Updated!

Francis O'Donovan
Check out for getting both recursive checks and hashes.
F Fouvry
pip-compile (from pip-tools) can generate hashes in a requirements file, using the option --generate-hashes.

Get Python Requirements Package Hashes

Recent Features

Animated 3D Flipping Menu with CSS

fetch API

Incredible Demos

MooTools Flashlight Effect

Highlighter: A MooTools Search & Highlight Plugin

Discussion