Skip to main content

DL3013: Pin versions in pip install

Warning Best Practice

Why This Matters

Without pinned versions, pip install pulls the latest package, which can differ between builds. An unpinned `pip install flask` today may install Flask 3.0, but tomorrow it installs Flask 3.1 with breaking changes. This breaks build reproducibility and can cause outages. Pin with == syntax and use a requirements.txt for complex dependency trees.

How to Fix

Pin package versions with == syntax

Before (incorrect)

RUN pip install flask requests

After (correct)

RUN pip install flask==3.0.0 requests==2.31.0

Rule Details

Rule Code
DL3013
Severity
Warning
Category
Best Practice

Related Rules

DL3027 Warning

Do not use apt as it is meant to be an end-user tool
DL3022 Warning

COPY --from should reference a named build stage
DL3030 Warning

Use the -y switch for yum install
DL3033 Warning

Pin versions in yum install
DL3038 Warning

Use the -y switch for dnf install