Unbounded Dependency Pins in requirements.txt

[bradjin8]

Repository: cppa-cursor-browser
Assignee: Brad @bradjin8
Severity: Medium

Problem

requirements.txt specifies flask>=3.0, fpdf2>=2.7, pywebview>=5.0 and other dependencies with lower bounds only — no upper bounds. Each CI run may resolve a different dependency version combination, making test results non-reproducible. A breaking change in any dependency (e.g., a Flask 4.0 release that changes path serialization) would silently break the project with no CI signal until a user hits the error. This compounds with the single-OS CI matrix: untested dependency combinations are evaluated on only one of three claimed platforms.

Acceptance Criteria

• All runtime dependencies in requirements.txt (and/or pyproject.toml if item 4 lands first) have both lower and upper bounds (e.g., flask>=3.0,<4)
• A requirements-lock.txt (or equivalent pinned lock file) is generated and committed for reproducible CI runs
• CI installs from the lock file for deterministic test results
• A Dependabot or Renovate configuration (or manual process) is documented for periodically updating the lock file
• Upper bounds are chosen conservatively based on current known-compatible major versions

Implementation Notes

If item 4 (pyproject.toml) lands first, declare bounded dependencies in [project.dependencies] and generate a lock file with pip-compile (from pip-tools). If working with requirements.txt alone, add upper bounds directly (e.g., flask>=3.0,<4). The key dependencies to bound are: flask, fpdf2, pywebview, markupsafe, and any other packages that have had breaking major releases. Consider adding a CI step that runs pip-compile --upgrade weekly via a scheduled workflow to keep pins current without manual effort.

References

• Eval finding: test 34
• Cluster: unbounded-dependency-pins
• Related files: requirements.txt, .github/workflows/tests.yml
• Compounds: COMPOUND-F (unbounded pins + single-OS CI)