[securedrop-proxy] make sure to use same versions of prod packages in the dev env

[sssoleileraaa]

Description

dev-requirements.txt is currently built using the --upgrade option. This is fine as long as we don't also upgrade prod dependencies. This was not intentional and should be fixed so that we only use the latest dev-only packages:

securedrop-proxy/Makefile

Line 56 in 9abadaa

pip-compile --generate-hashes --allow-unsafe --upgrade --output-file dev-requirements.txt dev-requirements.in requirements.in

[sssoleileraaa]

This is not really a bug after all, from what I can tell. For example, let's just say we pinned the lib click in requirements.in to be a version earlier than what black requires (black is a dev-only dependency), we would get this error when trying to run make update-pip-requirements:

>make update-pip-requirements
pip-compile --generate-hashes --allow-unsafe --upgrade --output-file dev-requirements.txt dev-requirements.in requirements.in
Could not find a version that matches click==7.1.1,>=7,>=7.1.2 (from -r requirements.in (line 11))
Tried: 0.1, 0.1, 0.2, 0.2, 0.3, 0.3, 0.4, 0.4, 0.5, 0.5, 0.5.1, 0.5.1, 0.6, 0.6, 0.7, 0.7, 1.0, 1.0, 1.1, 1.1, 2.0, 2.0, 2.1, 2.1, 2.2, 2.2, 2.3, 2.3, 2.4, 2.4, 2.5, 2.5, 2.6, 2.6, 3.0, 3.0, 3.1, 3.1, 3.2, 3.2, 3.3, 3.3, 4.0, 4.0, 4.1, 4.1, 5.0, 5.0, 5.1, 5.1, 6.0, 6.0, 6.1, 6.1, 6.2, 6.2, 6.3, 6.3, 6.4, 6.4, 6.5, 6.6, 6.6, 6.7, 6.7, 7.0, 7.0, 7.1, 7.1, 7.1.1, 7.1.1, 7.1.2, 7.1.2, 8.0.0, 8.0.0, 8.0.1, 8.0.1
Skipped pre-versions: 6.7.dev0, 8.0.0a1, 8.0.0a1, 8.0.0rc1, 8.0.0rc1
There are incompatible versions in the resolved dependencies:
  click==7.1.1 (from -r requirements.in (line 11))
  click>=7 (from pip-tools==6.2.0->-r dev-requirements.in (line 9))
  click>=7.1.2 (from black==21.7b0->-r dev-requirements.in (line 1))
make: *** [Makefile:56: update-pip-requirements] Error 2

To see this for yourself:

1. add the following line to requirements.in:

click==7.1.1

2. run make update-pip-requirements

This would tell a developer that they either need to downgrade and specify a specific version of black in dev-requriements.in that supports an earlier version of click or upgrade click to a more recent version in requirements.in (the above error goes away if you pin click to 7.1.2 for instance). I believe this is desirable so no longer think we have a bug here. I vote for closing this issue but would like to hear @zenmonkeykstop or @conorsch's thoughts to get more eyes on this.

[sssoleileraaa]

Also, please read freedomofpress/securedrop-client#1268 (comment) for background on why I created this issue - the thought was that we are currently doing something wrong here by using --upgrade, but I just don't see it. An example like I provided above is really helpful for seeding discussion and making it easier to understand how we could end up with a dev virtualenv that has higher versions of production requirements than will be used in production.