cal/major-domo-database
1
0
Fork 0
Code Issues 25 Pull Requests 25 Actions Packages Projects Releases Wiki Activity

chore: pin all Python dependency versions in requirements.txt (#62) #63

Merged
cal merged 1 commits from ai/major-domo-database-62 into main 2026-03-10 14:04:22 +00:00
Conversation 0 Commits 1 Files Changed 2 +11 -10
Claude commented 2026-03-10 05:33:04 +00:00
Collaborator
Copy Link

Summary

Pins all Python dependencies to exact versions captured from production (docker exec sba_db_api pip freeze), and moves dev/test deps into a new requirements-dev.txt.

Changes

  • requirements.txt: All 9 direct dependencies now use == exact versions:

    • fastapi==0.133.0 (was unpinned)
    • uvicorn==0.41.0 (was unpinned)
    • starlette==0.52.1 (explicitly pinned — transitive dep but root cause of 2026-03-09 outage)
    • python-multipart==0.0.22 (was unpinned)
    • numpy==1.26.4 (was <2.0.0)
    • pandas==3.0.1 (was unpinned)
    • psycopg2-binary==2.9.11 (was >=2.9.0)
    • requests==2.32.5 (was unpinned)
    • redis==7.3.0 (was >=4.5.0)
    • peewee==3.13.3 (already pinned, kept as-is)

  • requirements-dev.txt (new file): Dev/test deps separated out:

    • pytest==9.0.2
    • pytest-asyncio==1.3.0

Why starlette is explicitly pinned

Starlette is a transitive dependency of fastapi, but it was the direct cause of the production outage — an unpinned upgrade changed redirect_slashes behavior and broke all POST requests from the Discord bot. Pinning it explicitly prevents a fastapi upgrade from pulling in a new starlette version silently.

Other observations

  • The Dockerfile base image (tiangolo/uvicorn-gunicorn-fastapi:python3.11) is not pinned to a digest. Pinning it would require knowing the exact digest and would need to be updated periodically. Left as a follow-up since the immediate risk is dependency versions, not the base image.
  • The Dockerfile CI should be updated to install requirements-dev.txt in test stages, but the current Dockerfile has no test stage — left as a follow-up.
## Summary Pins all Python dependencies to exact versions captured from production (`docker exec sba_db_api pip freeze`), and moves dev/test deps into a new `requirements-dev.txt`. ## Changes - **`requirements.txt`**: All 9 direct dependencies now use `==` exact versions: - `fastapi==0.133.0` (was unpinned) - `uvicorn==0.41.0` (was unpinned) - `starlette==0.52.1` (**explicitly pinned** — transitive dep but root cause of 2026-03-09 outage) - `python-multipart==0.0.22` (was unpinned) - `numpy==1.26.4` (was `<2.0.0`) - `pandas==3.0.1` (was unpinned) - `psycopg2-binary==2.9.11` (was `>=2.9.0`) - `requests==2.32.5` (was unpinned) - `redis==7.3.0` (was `>=4.5.0`) - `peewee==3.13.3` (already pinned, kept as-is) - **`requirements-dev.txt`** (new file): Dev/test deps separated out: - `pytest==9.0.2` - `pytest-asyncio==1.3.0` ## Why starlette is explicitly pinned Starlette is a transitive dependency of fastapi, but it was the direct cause of the production outage — an unpinned upgrade changed `redirect_slashes` behavior and broke all POST requests from the Discord bot. Pinning it explicitly prevents a fastapi upgrade from pulling in a new starlette version silently. ## Other observations - The Dockerfile base image (`tiangolo/uvicorn-gunicorn-fastapi:python3.11`) is not pinned to a digest. Pinning it would require knowing the exact digest and would need to be updated periodically. Left as a follow-up since the immediate risk is dependency versions, not the base image. - The Dockerfile CI should be updated to install `requirements-dev.txt` in test stages, but the current Dockerfile has no test stage — left as a follow-up.
Claude added 1 commit 2026-03-10 05:33:05 +00:00
chore: pin all Python dependency versions in requirements.txt (#62)
All checks were successful
Build Docker Image / build (pull_request) Successful in 3m3s
Details
d076b7604c 
- Pin all direct dependencies to exact versions captured from production
  via `docker exec sba_db_api pip freeze`
- Explicitly pin starlette==0.52.1 (root cause of 2026-03-09 outage)
- Move pytest/pytest-asyncio to new requirements-dev.txt

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude added the
ai-reviewing
 label 2026-03-10 05:45:53 +00:00
Claude reviewed 2026-03-10 05:47:09 +00:00
Claude left a comment
Author
Collaborator
Copy Link

AI Code Review

Files Reviewed

  • requirements.txt (modified)
  • requirements-dev.txt (added)

Findings

Correctness

  • All 9 runtime dependencies pinned to exact versions captured from docker exec sba_db_api pip freeze — versions are production-proven and confirmed working together.
  • starlette==0.52.1 correctly pinned as an explicit dep despite being a fastapi transitive — this is the right approach after the redirect_slashes outage. Prevents a future fastapi upgrade from silently pulling a new starlette.
  • peewee==3.13.3 was already pinned; unchanged. No issues.
  • numpy==1.26.4 + pandas==3.0.1: pandas 3.0 requires numpy >= 1.26.4 exactly, so these are compatible.
  • pytest>=7.0.0 and pytest-asyncio>=0.21.0 correctly removed from requirements.txt and moved to requirements-dev.txt as exact-pinned versions.
  • Dockerfile only installs requirements.txt — prod image correctly excludes dev deps after this change.

Security

  • No credentials or secrets introduced.
  • No known-vulnerable packages in the pinned versions (requests 2.32.5, psycopg2-binary 2.9.11, redis 7.3.0 are all recent stable releases).

Style & Conventions

  • No issues. requirements-dev.txt is a standard convention for separating dev/test deps.

Suggestions

  • The PR notes the Dockerfile base image tiangolo/uvicorn-gunicorn-fastapi:python3.11 isn't pinned to a digest — acknowledged as a follow-up. Worth tracking as an issue since the base image bundles its own fastapi/uvicorn/starlette which pip will then override; digest pinning would close that gap entirely.
  • Developers will need to know to run pip install -r requirements-dev.txt for tests. A brief note in CLAUDE.md or README would help discoverability, but not a blocker.

Verdict: APPROVED

Clean, well-motivated change that directly addresses the 2026-03-09 production outage. All versions are production-validated via pip freeze. Separation of dev deps from the production image is correct and overdue. No issues found.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `requirements.txt` (modified) - `requirements-dev.txt` (added) ### Findings #### Correctness - All 9 runtime dependencies pinned to exact versions captured from `docker exec sba_db_api pip freeze` — versions are production-proven and confirmed working together. - `starlette==0.52.1` correctly pinned as an explicit dep despite being a fastapi transitive — this is the right approach after the redirect_slashes outage. Prevents a future `fastapi` upgrade from silently pulling a new starlette. - `peewee==3.13.3` was already pinned; unchanged. No issues. - `numpy==1.26.4` + `pandas==3.0.1`: pandas 3.0 requires numpy >= 1.26.4 exactly, so these are compatible. - `pytest>=7.0.0` and `pytest-asyncio>=0.21.0` correctly removed from `requirements.txt` and moved to `requirements-dev.txt` as exact-pinned versions. - Dockerfile only installs `requirements.txt` — prod image correctly excludes dev deps after this change. #### Security - No credentials or secrets introduced. - No known-vulnerable packages in the pinned versions (requests 2.32.5, psycopg2-binary 2.9.11, redis 7.3.0 are all recent stable releases). #### Style & Conventions - No issues. `requirements-dev.txt` is a standard convention for separating dev/test deps. #### Suggestions - The PR notes the Dockerfile base image `tiangolo/uvicorn-gunicorn-fastapi:python3.11` isn't pinned to a digest — acknowledged as a follow-up. Worth tracking as an issue since the base image bundles its own fastapi/uvicorn/starlette which pip will then override; digest pinning would close that gap entirely. - Developers will need to know to run `pip install -r requirements-dev.txt` for tests. A brief note in CLAUDE.md or README would help discoverability, but not a blocker. ### Verdict: APPROVED Clean, well-motivated change that directly addresses the 2026-03-09 production outage. All versions are production-validated via pip freeze. Separation of dev deps from the production image is correct and overdue. No issues found. --- *Automated review by Claude PR Reviewer*
Claude added
ai-reviewed
 and removed
ai-reviewing
 labels 2026-03-10 05:47:35 +00:00
cal merged commit 40a71c6f90 into main 2026-03-10 14:04:22 +00:00
cal deleted branch ai/major-domo-database-62 2026-03-10 14:04:22 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-changes-requested

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working
No Label
ai-changes-requested
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#63
No description provided.
Delete Branch "ai/major-domo-database-62"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?