[FEAT]: Pin Dependency Versions in requirements.txt

[itvi-1234]

---

name: 🚀 Feature Request
about: Suggest an idea or a new capability for FireForm.
title: "[FEAT]: Pin Dependency Versions in requirements.txt"
labels: enhancement
assignees: ''

---

📝 Description

Update requirements.txt to include explicit version numbers for all dependencies (e.g., requests==2.31.0), and ensure all used dependencies (like pypdf) are actually stated in the file.

💡 Rationale

Currently, requirements.txt lacks version pinning and is missing pypdf. Installing packages blindly ensures varying results on distinct machines based on whatever edge version is currently published as latest on PyPI. This can silently introduce breaking changes inside Docker build processes.

🛠️ Proposed Solution

A brief sketch of how we might implement this.

• Update to requirements.txt with specific pinned versions (using pip freeze).
• Add pypdf to requirements.txt.

✅ Acceptance Criteria

How will we know this is finished?

• Feature works in Docker container (images rebuild cleanly).
• Python dependencies install cleanly and reliably locally.

[itvi-1234]

If Relevant , I can work on this feature @marcvergees @vharkins1 @juanalvv @manucargar

[marcvergees]

There's kind of a trade-off in open-source projects because sometimes it's a common practice to leave it unpinned to get benefited of any kind of package update. By the same reason, it can give us inestability in the code.

[marcvergees]

What do you think guys we should do here? @vharkins1 @abhishek-8081 @chetanr25.

[chetanr25]

Hey @itvi-1234,
Thanks for bringing up this issue. We’re already aware of it, and it’s definitely something we should plan to address.

For now, since the backend architecture is still being designed and the list of dependencies is not finalized yet, pinning versions at this stage might only be a temporary fix and could require frequent updates later.

I think this can be kept as a lower priority for now, and once the core backend requirements are finalized by mentors, we can properly finalize and pin all required package versions.

tldr;
Yes, we should definitely address this issue, but currently I believe it's a low priority for us.

Let me know your thoughts @marcvergees @vharkins1 @abhishek-8081

[marcvergees]

Let's revise this as soon as we have a big release.

[abhishek-8081]

I think the concern raised in the issue is valid, especially regarding reproducible builds and Docker stability. Missing dependencies like pypdf should definitely be added explicitly to avoid setup issues.

However, I also agree that since the backend stack is still evolving, strict pinning of every dependency right now may lead to frequent maintenance updates. A better approach for the current stage could be:

• ensuring all used dependencies are properly listed,
• optionally pinning only critical/runtime-sensitive packages for now,
• and then doing complete version freezing closer to a major release once the architecture stabilizes.

Overall, I also feel this is important but not urgent at the current stage.

[chetanr25]

Closing this discussion as the issue is of low priority and we will definitely fix it in the upcoming iterations.
Thank you @itvi-1234 for bringing this up.
Thanks @abhishek-8081 and @marcvergees for your inputs.