Supply chain and dependency management

Our requirements.txt file is designed to work with pip install --require-hashes, which ensures that every installed dependency matches a hash stored in this repository. The option requires that every dependency (including dependencies of dependencies) be listed, pinned to a version number, and paired with a hash. We therefore don’t manually edit requirements.txt. Instead, we place our immediate dependencies in and run (which calls pip-tools’s pip-compile command) to update the requirements.txt file for production.

Continuous integration is set up with CircleCI at and performs unit tests, integration tests, and security checks on our dependencies.

1. CI runs which ensures requirements.txt is in sync with This script is set up to run against any similar files as well, such as MySQL-specific requirements_mysql.* files. 1. CI checks that there are no known vulnerabilities in the dependencies using []( 1. CI checks that all packages are up to date with upstream sources (unless the package and its latest upstream version are listed in requirements_txt_checker_ignoreupdates.txt).