From 083f38ca776121d89ef5782df788befac08c4896 Mon Sep 17 00:00:00 2001
From: JohnBaumb <80135794+JohnBaumb@users.noreply.github.com>
Date: Wed, 6 May 2026 15:45:19 -0700
Subject: [PATCH] pin all dependencies to exact resolved versions

---
 requirements-dev.txt |  4 ++--
 requirements.txt     | 46 +++++++++++++++++++++-----------------------
 2 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/requirements-dev.txt b/requirements-dev.txt
index 587022df..af02d432 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -2,7 +2,7 @@
 # Runtime web dependencies + test runner
 
 -r requirements.txt
-ruff
+ruff==0.15.12
 
 # Test runner
-pytest>=9.0.0
+pytest==9.0.3
diff --git a/requirements.txt b/requirements.txt
index a52eda81..d56bf1f4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,51 +1,49 @@
 # SoulSync requirements
 # Web application dependencies only
-# (cache-bust 2026-05-02: dev nightly image was serving a poisoned layer
-#  with missing dependencies; touching this comment forces the GHA Docker
-#  layer cache to invalidate the pip-install step on the next build.)
+# All dependencies pinned for reproducible builds.
 
 # Core web framework
-Flask>=3.0.0
-Flask-Limiter>=3.5.0
+Flask==3.1.3
+Flask-Limiter==4.1.1
 
 # Music service APIs
-spotipy>=2.23.0
-PlexAPI>=4.17.0
+spotipy==2.26.0
+PlexAPI==4.18.1
 
-# HTTP and async support  
-requests>=2.31.0
-aiohttp>=3.9.0
+# HTTP and async support
+requests==2.33.1
+aiohttp==3.13.5
 
 # Security and encryption
-cryptography>=41.0.0
+cryptography==48.0.0
 
 # Media metadata handling
-mutagen>=1.47.0
-Pillow>=10.0.0
+mutagen==1.47.0
+Pillow==12.2.0
 
 # Text processing
-unidecode>=1.3.8
-beautifulsoup4>=4.12.0
+Unidecode==1.4.0
+beautifulsoup4==4.14.3
 
 # System monitoring
-psutil>=6.0.0
+psutil==7.2.2
 
-# YouTube support — pinned for reproducible builds; bump per release. See #367.
+# YouTube support
 yt-dlp==2026.3.17
 
 # Lyrics support
-lrclibapi>=0.3.1
+lrclibapi==0.3.1
 
 # Audio fingerprinting for download verification
-pyacoustid>=1.3.0
+pyacoustid==1.3.1
 
 # WebSocket client for Hydrabase connection
-websocket-client>=1.7.0
+websocket-client==1.9.0
 
 # Tidal download support
-tidalapi>=0.7.6
+tidalapi==0.8.11
 
 # WebSocket server for real-time UI updates
-flask-socketio>=5.3.0
-gunicorn>=25.3.0
-simple-websocket>=1.1.0
+flask-socketio==5.6.1
+gunicorn==26.0.0
+simple-websocket==1.1.0