Output installed Python packages in requirements format, including also hashes of Python packages
Note
Note this tool requires pip with PEP-710 support which is a draft PEP as of today. See this article and the FAQ section bellow.
The tool can be installed from GitHub:
pip install git+https://github.com/fridex/pip-preserve.git
You can also consume the published package on PyPI (recommended):
pip install pip-preserve
After the installation process is successfully done, pip-preserve CLI
is available:
pip-preserve --help
By default, the tool uses the current environment to find installed packages
and reconstruct a requirements.txt file:
$ pip-preserve --ignore-errors # # This file is autogenerated by pip-preserve version 0.0.1 with Python 3.9.13. # click==8.1.3 \ --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 daiquiri==3.2.1 \ --hash=sha256:b797a7ac94219dc26ef8ebf04f1f507eefa83a7d174e9eb41acc33e3ebf16f38 # micropipenv==1.5.0 installed using a direct URL git+https://github.com/thoth-station/micropipenv@8176862ec96df23e152938659d6f45645246e398 packaging==23.0 \ --hash=sha256:714ac14496c3e68c99c29b00845f7a2b85f3bb6f1078fd9f72fd20f0570002b2 # pip==23.1.dev0 installed using a direct URL file:///Users/user/git/fridex/pip # pip-preserve==0.0.1 installed using a direct URL -e file:///Users/user/git/fridex/pip-preserve python-json-logger==2.0.7 \ --hash=sha256:f380b826a991ebbe3de4d897aeec42760035ac760345e57b812938dc8b35e2bd
If you wish to obtain direct URLs of packages installed, you can pass
--direct-url flag:
$ pip-preserve --direct-url --ignore-errors 2023-04-05 12:36:26,168 [41348] WARNING pip_preserve._lib: No provenance_url.json or direct_url.json found for 'setuptools' in version '58.1.0' 2023-04-05 12:36:26,168 [41348] WARNING pip_preserve._lib: The generated output will miss information from '/Users/user/git/fridex/pip-preserve/.venv/lib/python3.9/site-packages/setuptools-58.1.0.dist-info', please review any missing packages in the output # # This file is autogenerated by pip-preserve version 0.0.1 with Python 3.9.13. # https://files.pythonhosted.org/packages/c2/f1/df59e28c642d583f7dacffb1e0965d0e00b218e0186d7858ac5233dce840/click-8.1.3-py3-none-any.whl \ --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 https://files.pythonhosted.org/packages/43/b0/b916172eee4e946dea7155ed969865c1b2c01c883101e33d1eb0c224a6a0/daiquiri-3.2.1-py3-none-any.whl \ --hash=sha256:b797a7ac94219dc26ef8ebf04f1f507eefa83a7d174e9eb41acc33e3ebf16f38 # micropipenv==1.5.0 installed using a direct URL git+https://github.com/thoth-station/micropipenv@8176862ec96df23e152938659d6f45645246e398 https://files.pythonhosted.org/packages/ed/35/a31aed2993e398f6b09a790a181a7927eb14610ee8bbf02dc14d31677f1c/packaging-23.0-py3-none-any.whl \ --hash=sha256:714ac14496c3e68c99c29b00845f7a2b85f3bb6f1078fd9f72fd20f0570002b2 # pip==23.1.dev0 installed using a direct URL file:///Users/user/git/fridex/pip # pip-preserve==0.0.1 installed using a direct URL -e file:///Users/user/git/fridex/pip-preserve https://files.pythonhosted.org/packages/35/a6/145655273568ee78a581e734cf35beb9e33a370b29c5d3c8fee3744de29f/python_json_logger-2.0.7-py3-none-any.whl \ --hash=sha256:f380b826a991ebbe3de4d897aeec42760035ac760345e57b812938dc8b35e2bd
If the tool cannot determine from where a package was installed, it will fail.
This error can be ignored by supplying --ignore-errors flag. Any errors are
turned into warnings that can be reviewed once the tool prints results.
To explicitly point to a site-packages directory, use the --site-packages
option.
To get more information about this tool, issue --help.
Q: The tool fails or I'm getting warnings similar to the one below and my output is missing some packages:
No provenance_url.json or direct_url.json found
A: You most probably don't have pip with PEP-710 support. Please install pip with PEP-710 support, for example using this patch (experimental):
pip install git+https://github.com/fridex/pip.git@provenance-url
See the LICENSE file.