From d7d906135830922daaeb57d6ad4dc5bebe0089ca Mon Sep 17 00:00:00 2001
From: Tom Aisthorpe <tom.aisthorpe@aikido.dev>
Date: Thu, 2 Apr 2026 15:27:48 +0100
Subject: [PATCH 1/4] Pin versions for dev requirements

---
 Makefile                  |  6 +++++-
 requirements-dev-py39.txt | 41 +++++++++++++++++++++++++++++++++++++
 requirements-dev.txt      | 43 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 requirements-dev-py39.txt
 create mode 100644 requirements-dev.txt

diff --git a/Makefile b/Makefile
index e8722043..53933cd8 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,11 @@ lint:
 	poetry run black aikido_zen/
 	poetry run pylint aikido_zen/
 install: check_binaries
-	pip install poetry
+	if python -c "import sys; sys.exit(0 if sys.version_info >= (3, 10) else 1)"; then \
+		pip install -r requirements-dev.txt; \
+	else \
+		pip install -r requirements-dev-py39.txt; \
+	fi
 	poetry install
 .PHONY: dev_install
 dev_install: install
diff --git a/requirements-dev-py39.txt b/requirements-dev-py39.txt
new file mode 100644
index 00000000..8d0a4892
--- /dev/null
+++ b/requirements-dev-py39.txt
@@ -0,0 +1,41 @@
+build==1.2.2.post1
+CacheControl==0.14.2
+certifi==2024.8.30
+cffi==1.17.1
+charset-normalizer==3.3.2
+cleo==2.1.0
+crashtest==0.4.1
+distlib==0.4.0
+dulwich==0.21.7
+fastjsonschema==2.21.2
+filelock==3.16.1
+idna==3.8
+importlib_metadata==8.5.0
+importlib_resources==6.4.5
+installer==0.7.0
+jaraco.classes==3.4.0
+keyring==24.3.1
+more-itertools==10.5.0
+msgpack==1.1.1
+packaging==26.0
+pexpect==4.9.0
+pkginfo==1.12.1.2
+platformdirs==4.3.6
+poetry==1.8.5
+poetry-core==1.9.1
+poetry-plugin-export==1.8.0
+ptyprocess==0.7.0
+pycparser==2.23
+pyproject_hooks==1.2.0
+rapidfuzz==3.9.7
+requests==2.32.3
+requests-toolbelt==1.0.0
+shellingham==1.5.4
+tomli==2.4.1
+tomlkit==0.13.3
+trove-classifiers==2026.1.14.14
+typing_extensions==4.13.2
+urllib3==2.2.3
+virtualenv==20.39.1
+xattr==1.2.0
+zipp==3.20.2
diff --git a/requirements-dev.txt b/requirements-dev.txt
new file mode 100644
index 00000000..8cc890f3
--- /dev/null
+++ b/requirements-dev.txt
@@ -0,0 +1,43 @@
+anyio==4.13.0
+build==1.4.2
+CacheControl==0.14.4
+certifi==2024.8.30
+cffi==2.0.0
+charset-normalizer==3.3.2
+cleo==2.1.0
+crashtest==0.4.1
+distlib==0.4.0
+dulwich==1.1.0
+fastjsonschema==2.21.2
+filelock==3.25.2
+findpython==0.7.1
+h11==0.16.0
+httpcore==1.0.9
+httpx==0.28.1
+idna==3.8
+installer==0.7.0
+jaraco.classes==3.4.0
+jaraco.context==6.1.2
+jaraco.functools==4.4.0
+keyring==25.7.0
+more-itertools==10.8.0
+msgpack==1.1.2
+packaging==26.0
+pbs-installer==2026.3.25
+pkginfo==1.12.1.2
+platformdirs==4.9.4
+poetry==2.3.2
+poetry-core==2.3.1
+pycparser==3.0
+pyproject_hooks==1.2.0
+python-discovery==1.2.1
+RapidFuzz==3.14.3
+requests==2.32.3
+requests-toolbelt==1.0.0
+shellingham==1.5.4
+tomlkit==0.14.0
+trove-classifiers==2026.1.14.14
+urllib3==2.2.3
+virtualenv==21.2.0
+xattr==1.3.0
+zstandard==0.25.0

From f898dd723c1857dbf4e9b47a3865893f00e6b5a1 Mon Sep 17 00:00:00 2001
From: Tom Aisthorpe <tom.aisthorpe@aikido.dev>
Date: Thu, 2 Apr 2026 16:05:42 +0100
Subject: [PATCH 2/4] Use requirements-dev.txt in workflows

---
 .github/workflows/end2end.yml      | 2 +-
 .github/workflows/publish.yml      | 2 +-
 .github/workflows/qa-tests.yml     | 2 +-
 .github/workflows/test-publish.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index a9b3d10a..082a8ecc 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install poetry
-        run: pip install poetry
+        run: pip install -r requirements-dev.txt
       - name: Build
         run: make build
       - name: Upload artifacts
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 88b22563..ef9ba383 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -56,7 +56,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Install poetry
-      run: pip install poetry
+      run: pip install -r requirements-dev.txt
     - name: Set the version for this release
       run: |
         TAG_NAME=${GITHUB_REF##*/}
diff --git a/.github/workflows/qa-tests.yml b/.github/workflows/qa-tests.yml
index 8ec03aa4..036fc28c 100644
--- a/.github/workflows/qa-tests.yml
+++ b/.github/workflows/qa-tests.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Setup safe-chain
         run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
       - name: Install poetry
-        run: pip install poetry
+        run: pip install -r firewall-python/requirements-dev.txt
 
       - name: Build firewall-python dev package
         run: |
diff --git a/.github/workflows/test-publish.yml b/.github/workflows/test-publish.yml
index 7ffbaa88..1c228faf 100644
--- a/.github/workflows/test-publish.yml
+++ b/.github/workflows/test-publish.yml
@@ -57,7 +57,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Install poetry
-      run: pip install poetry
+      run: pip install -r requirements-dev.txt
     - name: Set the version for this release
       run: |
         TAG_NAME=${GITHUB_REF##*/}

From 371af418e7dbde358d59b894ea62e1c7f8c83d12 Mon Sep 17 00:00:00 2001
From: Tom Aisthorpe <tom.aisthorpe@aikido.dev>
Date: Thu, 2 Apr 2026 16:26:58 +0100
Subject: [PATCH 3/4] Attempt constraints approach

---
 .github/workflows/end2end.yml      |  2 +-
 .github/workflows/publish.yml      |  2 +-
 .github/workflows/qa-tests.yml     |  2 +-
 .github/workflows/test-publish.yml |  2 +-
 Makefile                           |  6 +----
 pip-constraints.txt                |  5 ++++
 requirements-dev-py39.txt          | 41 ----------------------------
 requirements-dev.txt               | 43 ------------------------------
 8 files changed, 10 insertions(+), 93 deletions(-)
 create mode 100644 pip-constraints.txt
 delete mode 100644 requirements-dev-py39.txt
 delete mode 100644 requirements-dev.txt

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index 082a8ecc..a13f600a 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install poetry
-        run: pip install -r requirements-dev.txt
+        run: pip install -c pip-constraints.txt poetry
       - name: Build
         run: make build
       - name: Upload artifacts
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ef9ba383..5cdfae11 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -56,7 +56,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Install poetry
-      run: pip install -r requirements-dev.txt
+      run: pip install -c pip-constraints.txt poetry
     - name: Set the version for this release
       run: |
         TAG_NAME=${GITHUB_REF##*/}
diff --git a/.github/workflows/qa-tests.yml b/.github/workflows/qa-tests.yml
index 036fc28c..cd6be6d6 100644
--- a/.github/workflows/qa-tests.yml
+++ b/.github/workflows/qa-tests.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Setup safe-chain
         run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
       - name: Install poetry
-        run: pip install -r firewall-python/requirements-dev.txt
+        run: pip install -c firewall-python/pip-constraints.txt poetry
 
       - name: Build firewall-python dev package
         run: |
diff --git a/.github/workflows/test-publish.yml b/.github/workflows/test-publish.yml
index 1c228faf..a5bb39ce 100644
--- a/.github/workflows/test-publish.yml
+++ b/.github/workflows/test-publish.yml
@@ -57,7 +57,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Install poetry
-      run: pip install -r requirements-dev.txt
+      run: pip install -c pip-constraints.txt poetry
     - name: Set the version for this release
       run: |
         TAG_NAME=${GITHUB_REF##*/}
diff --git a/Makefile b/Makefile
index 53933cd8..c4e75efe 100644
--- a/Makefile
+++ b/Makefile
@@ -19,11 +19,7 @@ lint:
 	poetry run black aikido_zen/
 	poetry run pylint aikido_zen/
 install: check_binaries
-	if python -c "import sys; sys.exit(0 if sys.version_info >= (3, 10) else 1)"; then \
-		pip install -r requirements-dev.txt; \
-	else \
-		pip install -r requirements-dev-py39.txt; \
-	fi
+	pip install -c pip-constraints.txt poetry
 	poetry install
 .PHONY: dev_install
 dev_install: install
diff --git a/pip-constraints.txt b/pip-constraints.txt
new file mode 100644
index 00000000..469c252d
--- /dev/null
+++ b/pip-constraints.txt
@@ -0,0 +1,5 @@
+charset-normalizer==3.3.2
+certifi==2024.8.30
+urllib3==2.2.3
+idna==3.8
+requests==2.32.3
diff --git a/requirements-dev-py39.txt b/requirements-dev-py39.txt
deleted file mode 100644
index 8d0a4892..00000000
--- a/requirements-dev-py39.txt
+++ /dev/null
@@ -1,41 +0,0 @@
-build==1.2.2.post1
-CacheControl==0.14.2
-certifi==2024.8.30
-cffi==1.17.1
-charset-normalizer==3.3.2
-cleo==2.1.0
-crashtest==0.4.1
-distlib==0.4.0
-dulwich==0.21.7
-fastjsonschema==2.21.2
-filelock==3.16.1
-idna==3.8
-importlib_metadata==8.5.0
-importlib_resources==6.4.5
-installer==0.7.0
-jaraco.classes==3.4.0
-keyring==24.3.1
-more-itertools==10.5.0
-msgpack==1.1.1
-packaging==26.0
-pexpect==4.9.0
-pkginfo==1.12.1.2
-platformdirs==4.3.6
-poetry==1.8.5
-poetry-core==1.9.1
-poetry-plugin-export==1.8.0
-ptyprocess==0.7.0
-pycparser==2.23
-pyproject_hooks==1.2.0
-rapidfuzz==3.9.7
-requests==2.32.3
-requests-toolbelt==1.0.0
-shellingham==1.5.4
-tomli==2.4.1
-tomlkit==0.13.3
-trove-classifiers==2026.1.14.14
-typing_extensions==4.13.2
-urllib3==2.2.3
-virtualenv==20.39.1
-xattr==1.2.0
-zipp==3.20.2
diff --git a/requirements-dev.txt b/requirements-dev.txt
deleted file mode 100644
index 8cc890f3..00000000
--- a/requirements-dev.txt
+++ /dev/null
@@ -1,43 +0,0 @@
-anyio==4.13.0
-build==1.4.2
-CacheControl==0.14.4
-certifi==2024.8.30
-cffi==2.0.0
-charset-normalizer==3.3.2
-cleo==2.1.0
-crashtest==0.4.1
-distlib==0.4.0
-dulwich==1.1.0
-fastjsonschema==2.21.2
-filelock==3.25.2
-findpython==0.7.1
-h11==0.16.0
-httpcore==1.0.9
-httpx==0.28.1
-idna==3.8
-installer==0.7.0
-jaraco.classes==3.4.0
-jaraco.context==6.1.2
-jaraco.functools==4.4.0
-keyring==25.7.0
-more-itertools==10.8.0
-msgpack==1.1.2
-packaging==26.0
-pbs-installer==2026.3.25
-pkginfo==1.12.1.2
-platformdirs==4.9.4
-poetry==2.3.2
-poetry-core==2.3.1
-pycparser==3.0
-pyproject_hooks==1.2.0
-python-discovery==1.2.1
-RapidFuzz==3.14.3
-requests==2.32.3
-requests-toolbelt==1.0.0
-shellingham==1.5.4
-tomlkit==0.14.0
-trove-classifiers==2026.1.14.14
-urllib3==2.2.3
-virtualenv==21.2.0
-xattr==1.3.0
-zstandard==0.25.0

From 561b5ca66d4d07380741b86a5dfbdc0faa131b32 Mon Sep 17 00:00:00 2001
From: Tom Aisthorpe <tom.aisthorpe@aikido.dev>
Date: Thu, 2 Apr 2026 16:34:26 +0100
Subject: [PATCH 4/4] Add more-itertools to constraints

---
 pip-constraints.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pip-constraints.txt b/pip-constraints.txt
index 469c252d..8bae1d5d 100644
--- a/pip-constraints.txt
+++ b/pip-constraints.txt
@@ -1,4 +1,5 @@
 charset-normalizer==3.3.2
+more-itertools==10.8.0
 certifi==2024.8.30
 urllib3==2.2.3
 idna==3.8