Spike: Should we freeze Python dependencies in every cki-project

In theory we should upgrade packages as soon as they have a new version available, if nothing else to get security patches. Just as well, having lock files can prevent us from upgrading into a malicious versions created by supply chain attacks.

We have pipeline-definition/constraints.txt with a few dependency locks, where a new line is created whenever we have a compatibility problem with one of the dependencies.

Simone raised the question:

Could we lock the dependencies in each CKI project instead?

• Differences between locking deps for libraries (cki-lib, dw-api-lib, reporter) vs applications (cki-tools, receiver, reporter)

• Differences with Node

Jira: CKI-6973