From 88c8a68eb52268111e224293e9a6519944971096 Mon Sep 17 00:00:00 2001
From: bashonly <88596187+bashonly@users.noreply.github.com>
Date: Mon, 6 Apr 2026 19:30:55 -0500
Subject: [PATCH] Pin to exact version for all dependencies in `pin*` extras
 (#16443)

Fix 5f6a214616f6fc3831a2535bcd1f837e90549d10

Authored by: bashonly
---
 devscripts/update_requirements.py | 52 +------------------------------
 pyproject.toml                    | 34 ++++++++++----------
 2 files changed, 18 insertions(+), 68 deletions(-)

diff --git a/devscripts/update_requirements.py b/devscripts/update_requirements.py
index ad9f48fb61..41616eacdb 100755
--- a/devscripts/update_requirements.py
+++ b/devscripts/update_requirements.py
@@ -175,38 +175,6 @@ def modify_and_write_pyproject(
         f.writelines(replace_table_in_pyproject(pyproject_text, table_name, table))
 
 
-@dataclasses.dataclass
-class Dependency:
-    name: str
-    direct_reference: str | None
-    version: str | None
-    markers: str | None
-
-
-def parse_dependency(line: str, comp_op: str = '==') -> Dependency:
-    line = line.rstrip().removesuffix('\\')
-    before, sep, after = map(str.strip, line.partition('@'))
-    name, _, version_and_markers = map(str.strip, before.partition(comp_op))
-    assertion_msg = f'unable to parse Dependency from line:\n    {line}'
-    assert name, assertion_msg
-
-    if sep:
-        # Direct reference
-        version = version_and_markers
-        direct_reference, _, markers = map(str.strip, after.partition(';'))
-        assert direct_reference, assertion_msg
-    else:
-        # No direct reference
-        direct_reference = None
-        version, _, markers = map(str.strip, version_and_markers.partition(';'))
-
-    return Dependency(
-        name=name,
-        direct_reference=direct_reference,
-        version=version or None,
-        markers=markers or None)
-
-
 def run_uv_export(
     *,
     extras: list[str] | None = None,
@@ -412,7 +380,6 @@ def update_requirements(upgrade_only: str | None = None, verify: bool = False):
 
     # Generate/upgrade lockfile
     run_process('uv', 'lock', upgrade_arg, env=env)
-    lockfile = parse_toml(LOCKFILE_PATH.read_text())
 
     # Generate bundle requirements
     if not upgrade_only or upgrade_only.lower() == 'pyinstaller':
@@ -449,24 +416,7 @@ def update_requirements(upgrade_only: str | None = None, verify: bool = False):
 
     # Generate pinned extras
     for pinned_name, extra_name in PINNED_EXTRAS.items():
-        pinned_extra = extras[pinned_name] = []
-        exported_extra = run_uv_export(extras=[extra_name], bare=True)
-        for line in exported_extra.splitlines():
-            dep = parse_dependency(line)
-            wheels = next((
-                pkg.get('wheels') for pkg in lockfile['package']
-                if pkg['name'] == dep.name and pkg['version'] == dep.version), None)
-            assert wheels, f'no wheels found for {dep.name} in lockfile'
-            # If multiple wheels are found, we'll *assume* it's because they're platform-specific.
-            # Platform tags can't be used in markers, so the best we can do is pin to exact version
-            if len(wheels) > 1:
-                pinned_extra.append(line)
-                continue
-            # If there's only a 'none-any' wheel, then use a direct reference to PyPI URL with hash
-            wheel_url = wheels[0]['url']
-            algo, _, digest = wheels[0]['hash'].partition(':')
-            pinned_line = f'{dep.name} @ {wheel_url}#{algo}={digest}'
-            pinned_extra.append(' ; '.join(filter(None, (pinned_line, dep.markers))))
+        extras[pinned_name] = run_uv_export(extras=[extra_name], bare=True).splitlines()
 
     # Write the finalized pyproject.toml
     modify_and_write_pyproject(pyproject_text, table_name=EXTRAS_TABLE, table=extras)
diff --git a/pyproject.toml b/pyproject.toml
index 39b1aa46ec..f87713173a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -69,35 +69,35 @@ deno = [
 pin = [
     "brotli==1.2.0 ; implementation_name == 'cpython' and sys_platform != 'ios'",
     "brotlicffi==1.2.0.1 ; implementation_name != 'cpython'",
-    "certifi @ https://files.pythonhosted.org/packages/9a/3c/c17fb3ca2d9c3acff52e30b309f538586f9f5b9c9cf454f3845fc9af4881/certifi-2026.2.25-py3-none-any.whl#sha256=027692e4402ad994f1c42e52a4997a9763c646b73e4096e4d5d6db8af1d6f0fa",
+    "certifi==2026.2.25",
     "cffi==2.0.0 ; implementation_name != 'cpython'",
     "charset-normalizer==3.4.6",
-    "idna @ https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl#sha256=771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea",
-    "mutagen @ https://files.pythonhosted.org/packages/b0/7a/620f945b96be1f6ee357d211d5bf74ab1b7fe72a9f1525aafbfe3aee6875/mutagen-1.47.0-py3-none-any.whl#sha256=edd96f50c5907a9539d8e5bba7245f62c9f520aef333d13392a79a4f70aca719",
-    "pycparser @ https://files.pythonhosted.org/packages/0c/c3/44f3fbbfa403ea2a7c779186dc20772604442dde72947e7d01069cbe98e3/pycparser-3.0-py3-none-any.whl#sha256=b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992 ; implementation_name != 'PyPy' and implementation_name != 'cpython'",
+    "idna==3.11",
+    "mutagen==1.47.0",
+    "pycparser==3.0 ; implementation_name != 'PyPy' and implementation_name != 'cpython'",
     "pycryptodomex==3.23.0",
-    "requests @ https://files.pythonhosted.org/packages/56/5d/c814546c2333ceea4ba42262d8c4d55763003e767fa169adc693bd524478/requests-2.33.0-py3-none-any.whl#sha256=3324635456fa185245e24865e810cecec7b4caf933d7eb133dcde67d48cee69b",
-    "urllib3 @ https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl#sha256=bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4",
+    "requests==2.33.0",
+    "urllib3==2.6.3",
     "websockets==16.0",
-    "yt-dlp-ejs @ https://files.pythonhosted.org/packages/e3/bd/520769863744b669440a924271a6159ddd82ad5ae26b4ac4d4b69e9f8d44/yt_dlp_ejs-0.8.0-py3-none-any.whl#sha256=79300e5fca7f937a1eeede11f0456862c1b41107ce1d726871e0207424f4bdb4",
+    "yt-dlp-ejs==0.8.0",
 ]
 pin-curl-cffi = [
-    "certifi @ https://files.pythonhosted.org/packages/9a/3c/c17fb3ca2d9c3acff52e30b309f538586f9f5b9c9cf454f3845fc9af4881/certifi-2026.2.25-py3-none-any.whl#sha256=027692e4402ad994f1c42e52a4997a9763c646b73e4096e4d5d6db8af1d6f0fa ; implementation_name == 'cpython'",
+    "certifi==2026.2.25 ; implementation_name == 'cpython'",
     "cffi==2.0.0 ; implementation_name == 'cpython'",
     "curl-cffi==0.15.0 ; implementation_name == 'cpython'",
-    "markdown-it-py @ https://files.pythonhosted.org/packages/94/54/e7d793b573f298e1c9013b8c4dade17d481164aa517d1d7148619c2cedbf/markdown_it_py-4.0.0-py3-none-any.whl#sha256=87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147 ; implementation_name == 'cpython'",
-    "mdurl @ https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl#sha256=84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 ; implementation_name == 'cpython'",
-    "pycparser @ https://files.pythonhosted.org/packages/0c/c3/44f3fbbfa403ea2a7c779186dc20772604442dde72947e7d01069cbe98e3/pycparser-3.0-py3-none-any.whl#sha256=b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992 ; implementation_name == 'cpython'",
-    "pygments @ https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl#sha256=86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b ; implementation_name == 'cpython'",
-    "rich @ https://files.pythonhosted.org/packages/14/25/b208c5683343959b670dc001595f2f3737e051da617f66c31f7c4fa93abc/rich-14.3.3-py3-none-any.whl#sha256=793431c1f8619afa7d3b52b2cdec859562b950ea0d4b6b505397612db8d5362d ; implementation_name == 'cpython'",
+    "markdown-it-py==4.0.0 ; implementation_name == 'cpython'",
+    "mdurl==0.1.2 ; implementation_name == 'cpython'",
+    "pycparser==3.0 ; implementation_name == 'cpython'",
+    "pygments==2.19.2 ; implementation_name == 'cpython'",
+    "rich==14.3.3 ; implementation_name == 'cpython'",
 ]
 pin-secretstorage = [
     "cffi==2.0.0 ; platform_python_implementation != 'PyPy'",
     "cryptography==46.0.6",
-    "jeepney @ https://files.pythonhosted.org/packages/b2/a3/e137168c9c44d18eff0376253da9f1e9234d0239e0ee230d2fee6cea8e55/jeepney-0.9.0-py3-none-any.whl#sha256=97e5714520c16fc0a45695e5365a2e11b81ea79bba796e26f9f1d178cb182683",
-    "pycparser @ https://files.pythonhosted.org/packages/0c/c3/44f3fbbfa403ea2a7c779186dc20772604442dde72947e7d01069cbe98e3/pycparser-3.0-py3-none-any.whl#sha256=b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992 ; implementation_name != 'PyPy' and platform_python_implementation != 'PyPy'",
-    "secretstorage @ https://files.pythonhosted.org/packages/b7/46/f5af3402b579fd5e11573ce652019a67074317e18c1935cc0b4ba9b35552/secretstorage-3.5.0-py3-none-any.whl#sha256=0ce65888c0725fcb2c5bc0fdb8e5438eece02c523557ea40ce0703c266248137",
-    "typing-extensions @ https://files.pythonhosted.org/packages/18/67/36e9267722cc04a6b9f15c7f3441c2363321a3ea07da7ae0c0707beb2a9c/typing_extensions-4.15.0-py3-none-any.whl#sha256=f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548 ; python_full_version < '3.11'",
+    "jeepney==0.9.0",
+    "pycparser==3.0 ; implementation_name != 'PyPy' and platform_python_implementation != 'PyPy'",
+    "secretstorage==3.5.0",
+    "typing-extensions==4.15.0 ; python_full_version < '3.11'",
 ]
 pin-deno = [
     "deno==2.7.8",