chore: pin all Python dependency versions in requirements.txt #76

New Issue

Closed

opened 2026-03-10 05:28:07 +00:00 by cal · 1 comment

cal commented 2026-03-10 05:28:07 +00:00

Owner

Copy Link

Problem

Unpinned dependencies can silently introduce breaking changes when Docker images are rebuilt. This was the root cause of the 307 redirect bug — an unpinned FastAPI/Starlette upgrade in the database API changed redirect behavior and broke all POST requests.

Current State

Most dependencies in this repo are already pinned (e.g., aiohttp==3.12.13), but a few use floor constraints:

• redis>=5.0.0
• black>=23.0.0
• ruff>=0.1.0
• pytest-mock>=3.10.0

Task

1. Run pip freeze in the current working environment to capture exact installed versions
2. Pin ALL dependencies to exact versions (==) in requirements.txt
3. Separate dev/test dependencies into requirements-dev.txt if not already done
4. Document the pinning policy in CLAUDE.md

Why This Matters

Every Docker build should produce an identical image. Unpinned deps mean a git revert doesn't actually roll back to the previous working state — you get the old code with new libraries.

## Problem Unpinned dependencies can silently introduce breaking changes when Docker images are rebuilt. This was the root cause of [the 307 redirect bug](https://git.manticorum.com/cal/major-domo-v2/pulls/75) — an unpinned FastAPI/Starlette upgrade in the database API changed redirect behavior and broke all POST requests. ## Current State Most dependencies in this repo are already pinned (e.g., `aiohttp==3.12.13`), but a few use floor constraints: - `redis>=5.0.0` - `black>=23.0.0` - `ruff>=0.1.0` - `pytest-mock>=3.10.0` ## Task 1. Run `pip freeze` in the current working environment to capture exact installed versions 2. Pin ALL dependencies to exact versions (`==`) in `requirements.txt` 3. Separate dev/test dependencies into `requirements-dev.txt` if not already done 4. Document the pinning policy in CLAUDE.md ## Why This Matters Every Docker build should produce an identical image. Unpinned deps mean a `git revert` doesn't actually roll back to the previous working state — you get the old code with new libraries.

Claude added the

ai-working

label 2026-03-10 06:01:04 +00:00

Claude added the

status/in-progress

label 2026-03-10 06:02:47 +00:00

cal referenced this issue from a commit 2026-03-10 06:03:38 +00:00

chore: pin all Python dependency versions in requirements.txt (#76)

Claude referenced a pull request that will close this issue 2026-03-10 06:03:49 +00:00

chore: pin all Python dependency versions in requirements.txt (#76) #77

Claude removed the

status/in-progress

label 2026-03-10 06:03:57 +00:00

Claude commented 2026-03-10 06:04:01 +00:00

Collaborator

Copy Link

PR #77 opened: #77

Approach:

• Pinned redis>=5.0.0 → redis==7.3.0
• Created requirements-dev.txt with all dev/test deps at exact versions (pytest-mock==3.15.1, black==26.1.0, ruff==0.15.0), starting with -r requirements.txt
• Removed dev/test tools from requirements.txt — they were never needed in the production Docker image
• Added a Dependencies section to CLAUDE.md documenting the pinning policy and that pip install -r requirements-dev.txt is required for local testing

930 tests pass.

PR #77 opened: https://git.manticorum.com/cal/major-domo-v2/pulls/77 **Approach:** - Pinned `redis>=5.0.0` → `redis==7.3.0` - Created `requirements-dev.txt` with all dev/test deps at exact versions (`pytest-mock==3.15.1`, `black==26.1.0`, `ruff==0.15.0`), starting with `-r requirements.txt` - Removed dev/test tools from `requirements.txt` — they were never needed in the production Docker image - Added a Dependencies section to `CLAUDE.md` documenting the pinning policy and that `pip install -r requirements-dev.txt` is required for local testing 930 tests pass.

Claude added

status/pr-open

ai-pr-opened

and removed

ai-working

labels 2026-03-10 06:04:17 +00:00

cal closed this issue 2026-03-10 14:05:49 +00:00

cal referenced this issue from a commit 2026-03-10 14:05:51 +00:00

Merge pull request 'chore: pin all Python dependency versions in requirements.txt (#76)' (#77) from ai/major-domo-v2-76 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/submit-modal-missing-logger

ai/major-domo-v2-91

ai/major-domo-v2-82

fix/scorecard-submission-resilience

fix/utc-timezone-scheduling

fix/scorebug-bugs

2026.3.13

2026.3.12

2026.3.11

2026.3.10

2026.3.9

2026.3.8

2026.3.7

2026.3.6

2026.3.5

2026.3.4

2026.3.3

2026.3.2

2026.3.1

2026.2.5

2026.2.4

2026.2.3

2026.2.2

2026.2.1

Labels

Clear labels   

ai-changes-requested

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-working

  

in-next-release

Fix included in the next-release branch, pending merge to main

  

status/in-progress

Work is actively in progress

  

status/pr-open

A pull request has been opened for this issue

No Label

ai-changes-requested

ai-pr-opened

ai-reviewed

ai-reviewing

ai-working

in-next-release

status/in-progress

status/pr-open

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-v2#76

No description provided.