Full current guidance for How to install flask safely — and check it's the real PyPI package:
- Re-verify provenance on every version bump, not just first install.
- Keep an allowlist of trusted publishers and pin to it.
- Log and review all tool/dependency changes in CI.
- Prefer signed releases and reproducible builds where available.