cal/paper-dynasty-discord
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

chore: pin all Python dependency versions (#82) #83

Merged
cal merged 1 commits from ai/paper-dynasty-discord82 into main 2026-03-10 14:07:07 +00:00
Conversation 0 Commits 1 Files Changed 3 +16 -15
Claude commented 2026-03-10 07:03:37 +00:00
Collaborator
Copy Link

Summary

  • Pinned all 12 production dependencies in requirements.txt to exact == versions sourced from the live production container
  • Moved pytest and pytest-asyncio out of requirements.txt into a new requirements-dev.txt (which includes -r requirements.txt)
  • Pinned Dockerfile base image from python:3.12-slim to python:3.12.13-slim (matches production Python 3.12.13)
  • Removed the numpy<2 floor constraint, replacing it with the exact pinned version numpy==1.26.4

Files Changed

  • requirements.txt — all deps pinned to exact versions, test deps removed
  • requirements-dev.txt — new file with pinned test deps
  • Dockerfile — base image pinned to python:3.12.13-slim

Versions (sourced from production container)

Package Version
discord.py 2.7.1
pygsheets 2.0.6
pydantic 2.12.5
gsheets 0.6.1
bs4 0.0.2
peewee 4.0.1
sqlmodel 0.0.37
alembic 1.18.4
numpy 1.26.4
pandas 3.0.1
psycopg2-binary 2.9.11
aiohttp 3.13.3
pytest (dev) 9.0.2
pytest-asyncio (dev) 1.3.0

Test Results

No test suite — changes verified by reading back modified files.

Other Observations

The Dockerfile could also be pinned to a specific digest (FROM python:3.12.13-slim@sha256:...) for complete immutability. The specific version tag is already a significant improvement and avoids the need to maintain a digest manually.

## Summary - Pinned all 12 production dependencies in `requirements.txt` to exact `==` versions sourced from the live production container - Moved `pytest` and `pytest-asyncio` out of `requirements.txt` into a new `requirements-dev.txt` (which includes `-r requirements.txt`) - Pinned Dockerfile base image from `python:3.12-slim` to `python:3.12.13-slim` (matches production Python 3.12.13) - Removed the `numpy<2` floor constraint, replacing it with the exact pinned version `numpy==1.26.4` ## Files Changed - `requirements.txt` — all deps pinned to exact versions, test deps removed - `requirements-dev.txt` — new file with pinned test deps - `Dockerfile` — base image pinned to `python:3.12.13-slim` ## Versions (sourced from production container) | Package | Version | |---|---| | discord.py | 2.7.1 | | pygsheets | 2.0.6 | | pydantic | 2.12.5 | | gsheets | 0.6.1 | | bs4 | 0.0.2 | | peewee | 4.0.1 | | sqlmodel | 0.0.37 | | alembic | 1.18.4 | | numpy | 1.26.4 | | pandas | 3.0.1 | | psycopg2-binary | 2.9.11 | | aiohttp | 3.13.3 | | pytest (dev) | 9.0.2 | | pytest-asyncio (dev) | 1.3.0 | ## Test Results No test suite — changes verified by reading back modified files. ## Other Observations The Dockerfile could also be pinned to a specific digest (`FROM python:3.12.13-slim@sha256:...`) for complete immutability. The specific version tag is already a significant improvement and avoids the need to maintain a digest manually.
Claude added 1 commit 2026-03-10 07:03:38 +00:00
chore: pin all Python dependency versions (#82)
All checks were successful
Build Docker Image / build (pull_request) Successful in 2m52s
Details
9d279cd038 
Pin all requirements.txt deps to exact versions sourced from production
container. Move pytest/pytest-asyncio to new requirements-dev.txt. Pin
Dockerfile base image from python:3.12-slim to python:3.12.13-slim.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude added the
ai-reviewing
 label 2026-03-10 07:15:53 +00:00
Claude reviewed 2026-03-10 07:18:04 +00:00
Claude left a comment
Author
Collaborator
Copy Link

AI Code Review

Files Reviewed

  • requirements.txt (modified)
  • requirements-dev.txt (added)
  • Dockerfile (modified)
  • .gitea/workflows/docker-build.yml (read for CI impact analysis)

Findings

Correctness

  • All 12 production deps pinned with == to exact versions matching the live container. Correct approach.
  • pytest and pytest-asyncio correctly moved to requirements-dev.txt with -r requirements.txt include.
  • numpy<2 floor constraint replaced with exact numpy==1.26.4 pin — removes ambiguity.
  • Dockerfile base image pinned from python:3.12-slim to python:3.12.13-slim. Matches production Python version.
  • Verified CI impact: .gitea/workflows/docker-build.yml only runs a Docker build — no standalone pytest step — so removing pytest from requirements.txt does not break CI.
  • The # psycopg[binary] comment is preserved correctly.

Security

  • No security issues. Pinning exact versions is a security improvement — prevents silent upgrades to vulnerable versions.

Style & Conventions

  • No issues. requirements-dev.txt follows the standard -r requirements.txt pattern for dev dependency files.
  • Minor: requirements.txt retains CRLF line endings from the original; requirements-dev.txt uses LF. No functional impact.

Suggestions

  • As noted in the PR body, digest pinning (FROM python:3.12.13-slim@sha256:...) would give complete immutability. The tag pin is already a meaningful improvement — no action required.

Verdict: APPROVED

Clean, correct dependency hygiene change. Versions sourced from the live production container, CI not impacted, dev dependencies correctly separated. Gitea blocks self-approval — posting as COMMENT.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `requirements.txt` (modified) - `requirements-dev.txt` (added) - `Dockerfile` (modified) - `.gitea/workflows/docker-build.yml` (read for CI impact analysis) ### Findings #### Correctness - All 12 production deps pinned with `==` to exact versions matching the live container. Correct approach. - `pytest` and `pytest-asyncio` correctly moved to `requirements-dev.txt` with `-r requirements.txt` include. - `numpy<2` floor constraint replaced with exact `numpy==1.26.4` pin — removes ambiguity. - Dockerfile base image pinned from `python:3.12-slim` to `python:3.12.13-slim`. Matches production Python version. - Verified CI impact: `.gitea/workflows/docker-build.yml` only runs a Docker build — no standalone `pytest` step — so removing pytest from `requirements.txt` does not break CI. - The `# psycopg[binary]` comment is preserved correctly. #### Security - No security issues. Pinning exact versions is a security improvement — prevents silent upgrades to vulnerable versions. #### Style & Conventions - No issues. `requirements-dev.txt` follows the standard `-r requirements.txt` pattern for dev dependency files. - Minor: `requirements.txt` retains CRLF line endings from the original; `requirements-dev.txt` uses LF. No functional impact. #### Suggestions - As noted in the PR body, digest pinning (`FROM python:3.12.13-slim@sha256:...`) would give complete immutability. The tag pin is already a meaningful improvement — no action required. ### Verdict: APPROVED Clean, correct dependency hygiene change. Versions sourced from the live production container, CI not impacted, dev dependencies correctly separated. Gitea blocks self-approval — posting as COMMENT. --- *Automated review by Claude PR Reviewer*
Claude added
ai-reviewed
 and removed
ai-reviewing
 labels 2026-03-10 07:18:23 +00:00
cal merged commit ce894cfa64 into main 2026-03-10 14:07:07 +00:00
cal deleted branch ai/paper-dynasty-discord82 2026-03-10 14:07:08 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-changes-requested

   
ai-failed

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-working

   
ai-working

   
bug

   
enhancement

   
feature

New feature proposal

  
in-queue

Approved for development

  
performance

   
security

   
tech-debt

   
todo
No Label
ai-changes-requested
ai-failed
ai-pr-opened
ai-reviewed
ai-reviewing
ai-working
ai-working
bug
enhancement
feature
in-queue
performance
security
tech-debt
todo
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-discord#83
No description provided.
Delete Branch "ai/paper-dynasty-discord82"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?