How to specify that a dependency comes from a specific index?

[rgilton]

I'm looking at hatch as a possible replacement from pipenv. With pipenv I can specify that dependencies come from a specific python index. This means I can be sure that the package I actually wanted is being picked-up, rather than one on PyPi with the same name (I believe this is referred to as "spoofing").

I understand that I can configure hatch so that pip will look at a private index, but how do I protect against spoofing?

[ofek]

Not until Python gets a lock file https://discuss.python.org/t/how-should-a-lockfile-pep-665-successor-look-like/17690