Skip to content

chore: Add dependency lockfile for reproducible builds#61

Merged
datasciencemonkey merged 3 commits intomainfrom
chore/add-dependency-lockfile
Mar 12, 2026
Merged

chore: Add dependency lockfile for reproducible builds#61
datasciencemonkey merged 3 commits intomainfrom
chore/add-dependency-lockfile

Conversation

@datasciencemonkey
Copy link
Copy Markdown
Owner

@datasciencemonkey datasciencemonkey commented Mar 12, 2026

Summary

  • Adds requirements.lock with all 145 transitive dependencies pinned to exact versions
  • Generated with uv pip compile — includes provenance comments showing which package requires what
  • Prevents silent breakage from upstream dependency updates and reduces supply chain risk

Usage

File Purpose
requirements.txt Loose pins for development
requirements.lock Exact pins for deployment (uv pip install -r requirements.lock)

Maintenance

uv pip compile requirements.txt -o requirements.lock --upgrade

Fixes #60

🤖 Generated with Claude Code

@datasciencemonkey @claude
chore: add requirements.lock for reproducible builds (#60)
e128e42 
Generated with uv pip compile. Pins all 145 transitive dependencies
to exact versions with provenance comments.

- requirements.txt: loose pins for development
- requirements.lock: exact pins for deployment

Regenerate with: uv pip compile requirements.txt -o requirements.lock

Fixes #60

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@datasciencemonkey datasciencemonkey self-assigned this Mar 12, 2026
datasciencemonkey and others added 2 commits March 12, 2026 09:23
@datasciencemonkey @claude
ci: add dependency audit workflow on PRs (#60)
8bbd8b7 
Runs pip-audit against requirements.lock on every PR that touches
dependency files. Catches known vulnerabilities before they merge
to main. Also warns if lockfile is stale.

Triggers on:
- PRs modifying requirements.txt or requirements.lock
- Pushes to main modifying the same

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@datasciencemonkey @claude
chore: bump version to 0.16.2
04c4982 
Patch release: dependency lockfile + automated audit workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@datasciencemonkey datasciencemonkey merged commit e0fe907 into main Mar 12, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@datasciencemonkey datasciencemonkey

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: Add dependency lockfile for reproducible builds

1 participant

@datasciencemonkey