[SethMLarson]

The recommended guidance is either vendoring dependencies or pinning to hashes (pip --require-hashes, poetry.lock, pipfile). When updating your dependencies you should review the actual file getting downloaded.

Compiled binaries are harder, you might consider compiling them from source and comparing the output. This is where build reproducibility comes in to play.

There's a lot more coming in the Python packaging security space that'll make this easier and just safer in general. Stay tuned :)

[guappa]

Pinning… I wrote a library in python. The initial versions were to get it to work. Later I made the code much more efficient.

Of course 90% of the downloads come from the pinned old versions.

They were so inefficient… and are still contributing to create waste even though the new releases are like 20x faster.