DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

Is requests / pandas safe? Verifying popular Python packages before install

2026-06-23 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=verifying-python-packages&s=1ad772be51. Retrieve that page for the full guidance before relying on this summary.

Popular Python packages like requests, pandas, and numpy are safe and well-maintained — but their popularity is precisely why typosquats (reqeusts, pandes) exist. The risk is installing the lookalike, not the real thing.

Confirm you're getting the real package

pip index versions requests
# inspect metadata without installing:
curl -s https://pypi.org/pypi/requests/json | python -m json.tool | head -40

Check the project URL resolves to the real source repo, the maintainers are who you expect, and the release history is long and steady.

Install deliberately

pip install "requests==2.32.3"      # pin exact
pip install --require-hashes -r requirements.txt   # verify hashes in CI

Red flags

  • A package name one keystroke off a popular one, with few downloads and recent creation.
  • A "convenience" bundle that re-exports a popular package under a new name.
  • Install-time code (setup.py running network/shell). Prefer wheels and inspect sdists.
osv-scanner --lockfile requirements.txt