Check out a free preview of the full Intermediate Python course
The "Using External Packages" Lesson is part of the full, Intermediate Python course featured in this preview video. Here's what you'd learn in this lesson:
Nina discusses how to ensure that the correct version of pip is being utilized to download a package, and security concerns over installing mistyped packages.
Transcript from the "Using External Packages" Lesson
[00:00:00]
>> Nina Zakharenko: You saw me use pip to install requests in introduction to Python. That all happened very fast, and I didn't really talk about where I might go to find out more information about the request package that I use. So PyPI,
>> Nina Zakharenko: PyPI lives at pypi.org.
>> Nina Zakharenko: And you can find, install, publish Python packages with this Python Package Index.
[00:00:41]
So here I could search for requests, and as of right now, there are 172,000 stored in PyPI. So I can search for requests, and we'll see a few things here. Now, it looks like request three is a name squat.
>> Student: It's not up yet, that's why they put that there.
[00:01:06]
>> Nina Zakharenko: Yeah, so this isn't quite the package that we're looking for. Let's look at this one, and this is a version number. And here we go, it says it gives us a project description. So it's the Non-GMO HTTP Library for easier HTTP consumption, and we can look at the release history, we can download the files.
[00:01:31]
The project will usually have a link to the home page.
>> Nina Zakharenko: We can click here to view the statistics for this. And,
>> Nina Zakharenko: Looks like this is a specific version, but these should just post statistics right here. We'll see who the maintainers are kind of on the left-hand side, what the license is, the development status, if it's just a beta version, and which versions it supports.
[00:02:08]
And this is a really, really great tool, a great resource. You can search for all sorts of external packages here. And to install this library, we'll give you setup instructions right here. So the new, you'll see pip being used here, but the new recommended way of installing packages, and I'm gonna exit out of my repl.
[00:02:35]
So I would say, don't do this. Because as we talked about, as you install more versions of Python on your system, you'll usually have a Python 2 and a Python 3. You end up with multiple versions of pip. And if you don't use the right one, or depending on your system setup, you could install your external libraries to the wrong place using the wrong path.
[00:03:03]
So the safest way of doing this is to be in your virtual environment. And then you just, you know exactly where python points, right. I say python-version here. I know that it's my python 372 from my environment because it's activated. So the better way of doing this is to say python -m, which means Python, run this as a module, and give the name of the module as pip.
[00:03:31]
And then you can say install requests. This way you're guaranteed to have the right path. And when you're first starting out, or actually, just in general, it's important to know your packages. So there are a lot of packages on PyPI. Sometimes they're not up to date. A good way of checking, we'll see here, we can look at the product homepage.
[00:04:00]
By the way, that pip install is right here. Actually, let's look at the base requests, that's the one that we've been using, this is the base version. And you'll see when it was last released, so if the package was last released in 2016, chances are that this is probably not very popular.
[00:04:26]
Let me see the statistics for this library. Here we go. So if you click on this, the libraries.io link, you should see some helpful information here. And it will show you how many dependencies it has. It will show you how many dependent packages there are in dependent repository.
[00:04:50]
So 124,000 projects on GitHub use this library. It's one of the most popular in Python, if not the most. 37,500 stars, etc. So this is a good place to go to see if your package is legit. You should also click through to the GitHub. Check out the code if you want to.
[00:05:10]
So it's good practice to copy and paste this exact command. There is a button right here that will help you do that. If you make a typo and don't type in the correct package name, there have been known to be typo squatters, right. So packages with security vulnerabilities that take advantage of people mistyping these package names, and then they'll go and install a malicious version of the library.
[00:05:40]
So there's some security considerations here.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops