From 239ae1dbd8d27c279f4612880afd5c603c1f29ff Mon Sep 17 00:00:00 2001
From: Mike VanDenburgh <michael.vandenburgh@kitware.com>
Date: Fri, 10 Oct 2025 12:21:43 -0400
Subject: [PATCH 1/2] Include pinned versions in `pyproject.toml`

I think we should continue to pin abstract dependencies where it makes
sense. In these cases, we are explicitly pinning two dependencies to a
specific version for application-level reasons.
---
 pyproject.toml | 4 ++--
 uv.lock        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index f1db9a368..6dc0267fe 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,7 +13,7 @@ dependencies = [
   "celery",
   "dandi",  # minimal version is also provided in API /info
   # Pin dandischema to exact version to make explicit which schema version is being used
-  "dandischema",  # schema version 0.6.10
+  "dandischema==0.11.1",  # schema version 0.6.10
   "django[argon2]",
   # Pin to version where this bug is fixed
   # https://codeberg.org/allauth/django-allauth/issues/4072
@@ -31,7 +31,7 @@ dependencies = [
   "django-stubs-ext",
   # TODO: pin djangorestframework until we figure out what the cause of
   # https://github.com/dandi/dandi-archive/issues/1896 is.
-  "djangorestframework",
+  "djangorestframework<3.15.0",
   "drf-extensions",
   "drf-yasg",
   "fsspec[http]",
diff --git a/uv.lock b/uv.lock
index 7d5a915db..223e6adce 100644
--- a/uv.lock
+++ b/uv.lock
@@ -731,7 +731,7 @@ requires-dist = [
     { name = "boto3" },
     { name = "celery" },
     { name = "dandi" },
-    { name = "dandischema" },
+    { name = "dandischema", specifier = "==0.11.1" },
     { name = "django", extras = ["argon2"] },
     { name = "django-allauth" },
     { name = "django-auth-style" },
@@ -749,7 +749,7 @@ requires-dist = [
     { name = "django-s3-file-field", extras = ["s3"] },
     { name = "django-storages", extras = ["s3"] },
     { name = "django-stubs-ext" },
-    { name = "djangorestframework" },
+    { name = "djangorestframework", specifier = "<3.15.0" },
     { name = "drf-extensions" },
     { name = "drf-yasg" },
     { name = "fsspec", extras = ["http"] },

From 44eaf6cf35e5318baa84e0bd710e3e2292d62aea Mon Sep 17 00:00:00 2001
From: Mike VanDenburgh <michael.vandenburgh@kitware.com>
Date: Fri, 10 Oct 2025 12:22:31 -0400
Subject: [PATCH 2/2] Remove comment about pinning

We're not pinning `allauth` to an older version, so I don't see this
comment as being helpful anymore with the introduction of `uv.lock`.
---
 pyproject.toml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 6dc0267fe..82e7243ca 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,8 +15,6 @@ dependencies = [
   # Pin dandischema to exact version to make explicit which schema version is being used
   "dandischema==0.11.1",  # schema version 0.6.10
   "django[argon2]",
-  # Pin to version where this bug is fixed
-  # https://codeberg.org/allauth/django-allauth/issues/4072
   "django-allauth",
   "django-auth-style",
   "django-click",