qsim icon indicating copy to clipboard operation
qsim copied to clipboard
verified publisher icon quantumlib

Switch to using a `requirements.in` and generate a pinned `requirements.txt`

Open mhucka opened this issue 1 month ago • 0 comments

What is the task?

Security scanners consistently about the lack of pinned dependencies in pip install -r requirements.txt commands in the CI workflows. It's true that the old-style requirements.txt approach is not good practice, for both reproducibility and security reasons. We should pin dependency versions by hashes.

(Optional) Do you have ideas or preferences for the approach?

We could auto-generate pinned dependencies in the following way:

  1. Move the contents of our current requirements.txt into requirements.in
  2. Use pip-compile to generate requirements.txt 
    pip install pip-tools
pip-compile --generate-hashes requirements.in

Instructions to users and pip install commands in the CI workflows can remain unchanged: run pip install -r requirements.txt. For developers, we can add instructions and perhaps a script in dev_tools/ to do the steps above. In the CI workflow, we could also add a step before pip installs that runs pip-compile if the requirements.txt is older than the requirements.in file.

How urgent is this for you?

None

mhucka avatar Nov 08 '25 19:11 mhucka