Popular Python packages like requests, pandas, and numpy are
safe and well-maintained — but their popularity is precisely why typosquats (reqeusts,
pandes) exist. The risk is installing the lookalike, not the real thing.
Confirm you're getting the real package
pip index versions requests
# inspect metadata without installing:
curl -s https://pypi.org/pypi/requests/json | python -m json.tool | head -40
Check the project URL resolves to the real source repo, the maintainers are who you expect, and the release history is long and steady.
Install deliberately
pip install "requests==2.32.3" # pin exact
pip install --require-hashes -r requirements.txt # verify hashes in CI
Red flags
- A package name one keystroke off a popular one, with few downloads and recent creation.
- A "convenience" bundle that re-exports a popular package under a new name.
- Install-time code (
setup.pyrunning network/shell). Prefer wheels and inspect sdists.
osv-scanner --lockfile requirements.txt