Use pip-tools to fully pin all dependencies

[cabiad]

Mostly just an idea for now.

Thinking about / reading this: https://hynek.me/articles/python-app-deps-2018/

We don’t really have deployment needs or anything, but having actually-repeatable-CI would still be pretty nice and I think would require all deps (even implicit ones) to be pinned.

pip tools is a nice way to maintain the difference between the explicit and implicit deps while still having them fully pinned

[cabiad]

(adding from discussion on Slack)

Why this might be important:

...Hypothetically:

codewatch’s requirements.txt has foo == 1.0 in it

foo 1.0 depends on bar >= 1.1

current latest bar is 1.1

run the build, it passes!

bar 1.2 is released

Result: Re-running the build against the same commit could have different results. There’s no documented dependency on bar==1.1.

The other option, dumping the full set of deps (explicit and implicit) into requirements_whatever.txt or setup.py leads to another failure mode … A massive set of requirements that is hard to upgrade.

BUT

Our library can be installed via pip but I don’t think that’s a guarantee. So we probably just need to pin everything in setup.py

[shawndrape]

Lack of pinning prompted an update of astroid from 1.6.5 to 2.0.4 which broke the tool, so this is a problem we're running into sooner rather than later.

[lime-green]

@shawndrape Can you describe how that happened? Astroid is pinned in setup.py

[lime-green]

@shawndrape The issue you encountered has been fixed in 0.0.19!