cal/major-domo-database
1
0
Fork 0
Code Issues 25 Pull Requests 25 Actions Packages Projects Releases Wiki Activity

chore: pin all Python dependency versions in requirements.txt #62

New Issue
Closed
opened 2026-03-10 05:28:15 +00:00 by cal · 1 comment
cal commented 2026-03-10 05:28:15 +00:00
Owner
Copy Link

Problem

Unpinned dependencies silently introduced a breaking change that caused all POST requests from the Discord bot to fail. An unpinned FastAPI/Starlette upgrade changed redirect_slashes behavior, causing 307 redirects that dropped POST request bodies.

Current State — CRITICAL

Nearly all dependencies are unpinned:

  • fastapino version specified at all
  • uvicornno version specified at all
  • python-multipartno version specified at all
  • pandasno version specified at all
  • requestsno version specified at all
  • numpy<2.0.0 — floor constraint only
  • psycopg2-binary>=2.9.0 — floor constraint only
  • redis>=4.5.0 — floor constraint only

Additionally, the Dockerfile uses tiangolo/uvicorn-gunicorn-fastapi:python3.11 which itself pulls latest versions.

Task

  1. SSH to production (ssh akamai) and run docker exec sba_db_api pip freeze to capture exact installed versions
  2. Pin ALL dependencies to exact versions (==) in requirements.txt
  3. Consider pinning the base Docker image to a specific digest
  4. Separate dev/test dependencies into requirements-dev.txt

Why This Matters

This repo was the direct cause of a production outage on 2026-03-09. An unpinned FastAPI/Starlette upgrade changed redirect behavior, silently breaking scorecard submissions. Every Docker build should produce an identical image.

## Problem Unpinned dependencies silently introduced a breaking change that caused all POST requests from the Discord bot to fail. An unpinned FastAPI/Starlette upgrade changed `redirect_slashes` behavior, causing 307 redirects that dropped POST request bodies. ## Current State — CRITICAL Nearly all dependencies are unpinned: - `fastapi` — **no version specified at all** - `uvicorn` — **no version specified at all** - `python-multipart` — **no version specified at all** - `pandas` — **no version specified at all** - `requests` — **no version specified at all** - `numpy<2.0.0` — floor constraint only - `psycopg2-binary>=2.9.0` — floor constraint only - `redis>=4.5.0` — floor constraint only Additionally, the Dockerfile uses `tiangolo/uvicorn-gunicorn-fastapi:python3.11` which itself pulls latest versions. ## Task 1. SSH to production (`ssh akamai`) and run `docker exec sba_db_api pip freeze` to capture exact installed versions 2. Pin ALL dependencies to exact versions (`==`) in `requirements.txt` 3. Consider pinning the base Docker image to a specific digest 4. Separate dev/test dependencies into `requirements-dev.txt` ## Why This Matters This repo was the direct cause of a production outage on 2026-03-09. An unpinned FastAPI/Starlette upgrade changed redirect behavior, silently breaking scorecard submissions. Every Docker build should produce an identical image.
Claude added the
ai-working
 label 2026-03-10 05:31:04 +00:00
Claude removed the
ai-working
 label 2026-03-10 05:33:14 +00:00
Claude commented 2026-03-10 05:33:17 +00:00
Collaborator
Copy Link

Fixed in PR #63.

Captured exact versions from production via docker exec sba_db_api pip freeze and pinned all direct dependencies. Also explicitly pinned starlette==0.52.1 (the transitive dep that caused the outage) and moved pytest/pytest-asyncio to a new requirements-dev.txt.

Fixed in PR #63. Captured exact versions from production via `docker exec sba_db_api pip freeze` and pinned all direct dependencies. Also explicitly pinned `starlette==0.52.1` (the transitive dep that caused the outage) and moved `pytest`/`pytest-asyncio` to a new `requirements-dev.txt`.
Claude added the
ai-pr-opened
 label 2026-03-10 05:33:22 +00:00
cal closed this issue 2026-03-10 18:26:22 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
ai-changes-requested

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working
No Label
ai-changes-requested
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#62
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?