Lock dependencies to specific versions

[Glutexo]

As this is not a library, but a deployable application, it should have its dependencies stated more clearly. Currently all packages are listed without a version. Although this is not a problem when deploying, thanks to the lock file, it brings some mild problems:

• Special caution is required when dealing with the packages: rebuilding the lock incautiously file may result in bumping up a package to a too high version.
• Code is not written for specific versions of the libraries, the exact version used can be determined only by looking into the lock file.

This is not how it should work and is not semantic at all. The Pipfile itself should contain a list of packages and their version constrains. The lock file is there to replicate the same environment.

Also please see a notoriously known article, slightly related to this.

[Glutexo]

One more reason to do so is that without specific version, it’s very easy to accidentally upgrade the packages in the lock file. That can happen when adding a new dependency. Then, anything can break unexpectedly.

[Glutexo]

There are some pull requests for this:

• Lock packages to specific versions (stable) #385 closed without merging.
• Lock packages to specific versions #386
• Specify versions in Pipfile #387