cal/paper-dynasty-database
1
0
Fork 0
Code Issues 7 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

chore: pin all Python dependency versions in requirements.txt (#64) #65

Merged
cal merged 1 commits from ai/paper-dynasty-database#64 into next-release 2026-03-10 14:06:42 +00:00
Conversation 1 Commits 1 Files Changed 2 +15 -16
Claude commented 2026-03-10 06:35:53 +00:00
Collaborator
Copy Link

Summary

  • Pins all 14 Python dependencies in requirements.txt to exact == versions, preventing silent breaking changes on Docker rebuilds
  • Removes the duplicate python-multipart entry
  • Upgrades numpy from a floor constraint (<2) to an exact pin (1.26.4, latest 1.x — respects the existing CPU compatibility constraint)
  • Pins Dockerfile base image from :latest to :python3.11 for reproducible builds

Version choices

Package Before After Notes
pydantic 1.* 1.10.21 Latest v1 — codebase uses root_validators / v1 API
fastapi unpinned 0.111.1 Last series with explicit pydantic v1 support
uvicorn unpinned 0.30.6 Concurrent with fastapi 0.111.x
peewee unpinned 3.17.9 Last stable 3.17 before 3.18+ async additions
psycopg2-binary unpinned 2.9.9 Stable mid-2024 release
python-multipart unpinned + duplicate 0.0.9 Duplicate removed
numpy <2 1.26.4 Latest 1.x, satisfies original <2 constraint
pandas unpinned 2.2.3 Latest 2.x
pygsheets unpinned 2.0.6 Latest
pybaseball unpinned 2.2.7 Latest
requests unpinned 2.32.3 Latest 2.32.x
html2image unpinned 2.0.6 Stable 2.0.6
jinja2 unpinned 3.1.4 Stable mid-2024
playwright unpinned 1.45.1 Mid-2024 stable; matches playwright install chromium

Files changed

  • requirements.txt
  • Dockerfile

Other observations

  • The tiangolo/uvicorn-gunicorn-fastapi base image is pinned to :python3.11 (a named tag) rather than a digest. For absolute reproducibility a SHA256 digest pin could be added, but the named tag is a significant improvement over :latest.
  • The inline comment # PostgreSQL adapter for Python on psycopg2-binary was removed as comments in requirements files can cause issues with some pip versions.
## Summary - Pins all 14 Python dependencies in `requirements.txt` to exact `==` versions, preventing silent breaking changes on Docker rebuilds - Removes the duplicate `python-multipart` entry - Upgrades `numpy` from a floor constraint (`<2`) to an exact pin (`1.26.4`, latest 1.x — respects the existing CPU compatibility constraint) - Pins Dockerfile base image from `:latest` to `:python3.11` for reproducible builds ## Version choices | Package | Before | After | Notes | |---|---|---|---| | pydantic | `1.*` | `1.10.21` | Latest v1 — codebase uses root_validators / v1 API | | fastapi | unpinned | `0.111.1` | Last series with explicit pydantic v1 support | | uvicorn | unpinned | `0.30.6` | Concurrent with fastapi 0.111.x | | peewee | unpinned | `3.17.9` | Last stable 3.17 before 3.18+ async additions | | psycopg2-binary | unpinned | `2.9.9` | Stable mid-2024 release | | python-multipart | unpinned + duplicate | `0.0.9` | Duplicate removed | | numpy | `<2` | `1.26.4` | Latest 1.x, satisfies original `<2` constraint | | pandas | unpinned | `2.2.3` | Latest 2.x | | pygsheets | unpinned | `2.0.6` | Latest | | pybaseball | unpinned | `2.2.7` | Latest | | requests | unpinned | `2.32.3` | Latest 2.32.x | | html2image | unpinned | `2.0.6` | Stable 2.0.6 | | jinja2 | unpinned | `3.1.4` | Stable mid-2024 | | playwright | unpinned | `1.45.1` | Mid-2024 stable; matches `playwright install chromium` | ## Files changed - `requirements.txt` - `Dockerfile` ## Other observations - The tiangolo/uvicorn-gunicorn-fastapi base image is pinned to `:python3.11` (a named tag) rather than a digest. For absolute reproducibility a SHA256 digest pin could be added, but the named tag is a significant improvement over `:latest`. - The inline comment `# PostgreSQL adapter for Python` on psycopg2-binary was removed as comments in requirements files can cause issues with some pip versions.
Claude added 1 commit 2026-03-10 06:35:55 +00:00 
- Pin all 14 dependencies to exact versions (==)
- Remove duplicate python-multipart entry
- Upgrade numpy from floor constraint (<2) to exact pin (1.26.4, latest 1.x)
- Pin Dockerfile base image from :latest to :python3.11

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude added the
ai-reviewing
 label 2026-03-10 06:45:48 +00:00
Claude commented 2026-03-10 06:47:48 +00:00
Author
Collaborator
Copy Link

AI Code Review

Files Reviewed

  • requirements.txt (modified)
  • Dockerfile (modified)

Findings

Correctness

  • Diff matches the PR description exactly: 14 deps pinned, duplicate python-multipart removed, numpy<2 upgraded to exact pin, Dockerfile base image tag pinned. No scope creep.
  • Line count: 15 → 14 lines (one duplicate python-multipart removed). Correct.
  • All pinned versions match the PR's version table.
  • CRLF line endings (\r\n) in requirements.txt are pre-existing, not introduced by this PR.
  • fastapi==0.111.1 with pydantic==1.10.21: FastAPI 0.111.x maintained pydantic v1 compatibility — correct pairing for a codebase using root_validators and the v1 API. ✓
  • playwright==1.45.1 aligns with the playwright install chromium call in the Dockerfile. ✓

Security

  • No credentials, tokens, or secrets introduced.
  • jinja2==3.1.4 is specifically the release that patched CVE-2024-34064 (XSS in sandbox). Good choice. ✓
  • requests==2.32.3: No known critical CVEs at this version. ✓
  • Note: python-multipart==0.0.9 is affected by CVE-2024-53981 (ReDoS in multipart boundary parsing), patched in v0.0.18 (December 2024). FastAPI 0.111.1 requires >=0.0.7, so bumping to 0.0.18 would close the CVE without any other changes. Not a blocker given the mid-2024 pinning goal, but worth a follow-up if the app processes untrusted file uploads.

Style & Conventions

  • Removal of the inline comment on psycopg2-binary is harmless (pip handles # comments in requirements files without issue, contrary to the PR body's note — but removing it causes no problems).
  • tiangolo/uvicorn-gunicorn-fastapi:python3.11 named tag is a meaningful improvement over :latest. The PR body's acknowledgment that a SHA256 digest would be more reproducible is accurate — acceptable trade-off.

Suggestions

  • Consider bumping python-multipart to 0.0.18 to address CVE-2024-53981. Low-severity in typical usage but a simple patch.

Verdict: APPROVED

Clean, focused infrastructure improvement. Exactly 2 files changed, matching the PR description — no scope creep, no reformatting, no unrelated deletions. All version choices are well-reasoned and documented. The python-multipart CVE is worth a follow-up issue but does not block this PR.

⚠️ Gitea self-review restriction: formal review posted as comment.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `requirements.txt` (modified) - `Dockerfile` (modified) ### Findings #### Correctness - Diff matches the PR description exactly: 14 deps pinned, duplicate `python-multipart` removed, `numpy<2` upgraded to exact pin, Dockerfile base image tag pinned. No scope creep. - Line count: 15 → 14 lines (one duplicate `python-multipart` removed). Correct. - All pinned versions match the PR's version table. - CRLF line endings (`\r\n`) in `requirements.txt` are pre-existing, not introduced by this PR. - `fastapi==0.111.1` with `pydantic==1.10.21`: FastAPI 0.111.x maintained pydantic v1 compatibility — correct pairing for a codebase using `root_validators` and the v1 API. ✓ - `playwright==1.45.1` aligns with the `playwright install chromium` call in the Dockerfile. ✓ #### Security - No credentials, tokens, or secrets introduced. - `jinja2==3.1.4` is specifically the release that patched CVE-2024-34064 (XSS in sandbox). Good choice. ✓ - `requests==2.32.3`: No known critical CVEs at this version. ✓ - **Note**: `python-multipart==0.0.9` is affected by CVE-2024-53981 (ReDoS in multipart boundary parsing), patched in v0.0.18 (December 2024). FastAPI 0.111.1 requires `>=0.0.7`, so bumping to `0.0.18` would close the CVE without any other changes. Not a blocker given the mid-2024 pinning goal, but worth a follow-up if the app processes untrusted file uploads. #### Style & Conventions - Removal of the inline comment on `psycopg2-binary` is harmless (pip handles `# comments` in requirements files without issue, contrary to the PR body's note — but removing it causes no problems). - `tiangolo/uvicorn-gunicorn-fastapi:python3.11` named tag is a meaningful improvement over `:latest`. The PR body's acknowledgment that a SHA256 digest would be more reproducible is accurate — acceptable trade-off. #### Suggestions - Consider bumping `python-multipart` to `0.0.18` to address CVE-2024-53981. Low-severity in typical usage but a simple patch. ### Verdict: APPROVED Clean, focused infrastructure improvement. Exactly 2 files changed, matching the PR description — no scope creep, no reformatting, no unrelated deletions. All version choices are well-reasoned and documented. The python-multipart CVE is worth a follow-up issue but does not block this PR. > ⚠️ *Gitea self-review restriction: formal review posted as comment.* --- *Automated review by Claude PR Reviewer*
Claude added
ai-reviewed
 and removed
ai-reviewing
 labels 2026-03-10 06:48:08 +00:00
cal merged commit 6afb2773fe into next-release 2026-03-10 14:06:42 +00:00
cal deleted branch ai/paper-dynasty-database#64 2026-03-10 14:06:42 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-changes-requested

   
ai-failed

   
ai-merged

PR merged by AI ops agent

  
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working

   
bug

   
enhancement

   
evolution

Card Evolution system

  
performance

   
phase-0

Render Pipeline Optimization

  
phase-1a

Schema & Data Foundation

  
phase-1b

API & Formula Engine

  
phase-1c

Bot Integration

  
phase-1d

Deployment

  
security

   
tech-debt

   
todo
No Label
ai-changes-requested
ai-failed
ai-merged
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
bug
enhancement
evolution
performance
phase-0
phase-1a
phase-1b
phase-1c
phase-1d
security
tech-debt
todo
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-database#65
No description provided.
Delete Branch "ai/paper-dynasty-database#64"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?