Skip to content

Pin backend-api dependencies to exact versions#28

Open
listlessbird wants to merge 1 commit into
mainfrom
codex/check-project-dependency-on-litellm-package
Open

Pin backend-api dependencies to exact versions#28
listlessbird wants to merge 1 commit into
mainfrom
codex/check-project-dependency-on-litellm-package

Conversation

@listlessbird
Copy link
Copy Markdown
Owner

@listlessbird listlessbird commented Mar 25, 2026

Motivation

  • Make backend installs deterministic and auditable by replacing open-ended dependency ranges with exact versions.
  • Reduce risk from unexpected transitive upgrades and simplify vulnerability review for the backend API dependencies.

Description

  • Replaced ranged specifiers (e.g., >=) with exact == pins for runtime dependencies in backend-api/pyproject.toml, including packages such as fastapi, uvicorn, transformers, pydantic, numpy, and boto3.
  • Pinned development dependencies in backend-api/pyproject.toml, including ipykernel, pandas, ruff, and types-boto3-custom to match the vendored wheel.
  • Regenerated backend-api/uv.lock so lock metadata reflects the new exact specifiers.
  • Recorded the change and created a PR for review.

Testing

  • Ran cd backend-api && uv lock --check, which failed initially because pyproject.toml changed and the lockfile needed refresh.
  • Ran cd backend-api && uv lock to refresh the lockfile, which completed successfully.
  • Reran cd backend-api && uv lock --check, which completed successfully and validated the updated lockfile.

Codex Task

@listlessbird
Copy link
Copy Markdown
Owner Author

listlessbird commented Mar 25, 2026

in the light of recent litellm package compromise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@listlessbird