edx-platform/requirements/constraints.txt

# Version constraints for pip-installation.
#
# This file doesn't install any packages. It specifies version constraints
# that will be applied if a package is needed.
#
# When pinning something here, please provide an explanation of why.  Ideally,
# link to other information that will help people in the future to remove the
# pin when possible.  Writing an issue against the offending project and
# linking to it here is good.
# For further details on how to properly write constraints here please consult
# https://openedx.atlassian.net/wiki/spaces/COMM/pages/4400250883/Adding+pinned+dependencies+in+constraint+file

# This file contains all common constraints for edx-repos
-c common_constraints.txt

# Date: 2025-10-07
# Stay on LTS version, remove once this is added to common constraint
Django<6.0

# Date: 2026-01-13
# We would normally pin celery to <6.0.0 to avoid auto-updating across a major
# version boundary without more thorough testing. The reason it's currently also
# pinned to !=5.6.1 is because of a celery bug related to the eta and countdown
# parameters. This bug caused operational issues in MIT's deployment.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35280
celery>=5.2.2,!=5.6.1,<6.0.0

# Date: 2020-02-10
# django-oauth-toolkit version >=2.0.0 has breaking changes. More details
# mentioned on this issue https://github.com/openedx/edx-platform/issues/32884
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35277
django-oauth-toolkit==1.7.1

# Date: 2024-07-19
# Generally speaking, the major version of django-stubs must either match the major version
# of django, or exceed it by 1. So, we will need to perpetually constrain django-stubs and
# update it as we perform django upgrades. For more details, see:
# https://github.com/typeddjango/django-stubs?tab=readme-ov-file#version-compatibility
# including the note on "Partial Support".
# Issue: https://github.com/openedx/edx-platform/issues/35275
django-stubs<6

# Date: 2019-08-16
# The team that owns this package will manually bump this package rather than having it pulled in automatically.
# This is to allow them to better control its deployment and to do it in a process that works better
# for them.
edx-enterprise==6.6.5

# Date: 2023-07-26
# Our legacy Sass code is incompatible with anything except this ancient libsass version.
# Here is a ticket to upgrade, but it's of debatable importance given that we are rapidly moving
# away from legacy LMS/CMS frontends:
# https://github.com/openedx/edx-platform/issues/31616
libsass==0.10.0

# Date: 2024-07-16
# We need to upgrade the version of elasticsearch to atleast 7.15 before we can upgrade to Numpy 2.0.0
# Otherwise we see a failure while running the following command:
# export DJANGO_SETTINGS_MODULE=cms.envs.test; python manage.py cms check_reserved_keywords --override_file db_keyword_overrides.yml --report_path reports/reserved_keywords --report_file cms_reserved_keyword_report.csv
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35126
numpy<2.0.0

# Date: 2023-09-18
# Library is still in active development. Minor verisons (0.x, 0.x+1) may have
# breaking changes which openedx-core devs want to roll out manually. New patch versions
# are OK to accept automatically.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35269
openedx-core<0.36

# Date: 2023-11-29
# Open AI version 1.0.0 dropped support for openai.ChatCompletion which is currently in use in enterprise.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35268
openai<=0.28.1

# Date: 2024-04-26
# path==16.12.0 breaks the unit test collections check
# needs to be investigated and fixed separately
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35267
path<16.12.0

# Date: 2021-08-25
# At the time of writing this comment, we do not know whether py2neo>=2022
# will support our currently-deployed Neo4j version (3.5).
# Feel free to loosen this constraint if/when it is confirmed that a later
# version of py2neo will work with Neo4j 3.5.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35266
py2neo<2022

# Date: 2020-04-08
# Adding pin to avoid any major upgrade
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35265
pymongo<4.4.1

# Date: 2024-08-06
# social-auth-app-django 5.4.2 introduces a new migration that will not play nicely with large installations. This will touch
# user tables, which are quite large, especially on instances like edx.org.
# We are pinning this until after all the smaller migrations get handled and then we can migrate this all at once.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/37639
social-auth-app-django<=5.4.1

# # Date: 2024-10-14
# # The edx-enterprise is currently using edx-rest-api-client==5.7.1, which needs to be updated first.
# edx-rest-api-client==5.7.1

# Date 2025-01-08
# elasticsearch==7.13.x is downgrading urllib3 from 2.2.3 to 1.26.20
# https://github.com/elastic/elasticsearch-py/blob/v7.13.4/setup.py#L42
# We are pinning this until we can upgrade to a version of elasticsearch that uses a more recent version of urllib3.
# Issue for unpinning: https://github.com/openedx/edx-platform/issues/35126
elasticsearch==7.9.1

# Date 2025-05-09
# lxml and xmlsec need to be constrained because the latest version builds against a newer
# version of libxml2 than what we're running with.  This leads to a version mismatch error
# at runtime.  You can re-produce it by running any test.
# If lxml is pinned in the future and you see this error, it may be that the system libxml2
# is now shipping the correct version and we can un-pin this.
# Issue: https://github.com/openedx/edx-platform/issues/36695
lxml==5.3.2
xmlsec==1.3.14

# Date 2025-08-12
# The newest version of the debug toolbar has a bug in it
# https://github.com/django-commons/django-debug-toolbar/issues/2172
# Pin this back to the previous version until that bug is fixed.
django-debug-toolbar<6.0.0

# Date 2025-10-07
# Cryptography 46.0.0 conflicts with system dependencies needed for snowflake-connector-python
# snowflake-connector-python comes as a dependency of edx-enterprise so it can not be directly pinned here.
# See issue https://github.com/openedx/edx-platform/issues/37417 for details on this.
# This can be unpinned once snowflake-connector-python==4.0.0 is available (contains the fix).
# pact-python==3.0.0 also removes cffi dependency and is causing the upgrade build to fail
# This should also be removed together with cryptography constraint.
# Issue: https://github.com/openedx/edx-platform/issues/37435
cryptography<46.0.0
pact-python<3.0.0

# Date 2026-01-13
# Sphinx-autoapi changed the version of astroid it needs
# but the newer version is not compatible with the current pylint version
# which wants a newer version of astroid.  This can be removed once we're
# building requirements with Python 3.12
# https://github.com/openedx/edx-platform/issues/37880
sphinx-autoapi<3.6.1

# Date 2026-03-02
# setuptools 82.0.0 removed pkg_resources from its distribution, but fs (pyfilesystem2)
# still uses pkg_resources for namespace package declarations. This constraint can be
# removed once pyfilesystem2 drops its pkg_resources usage.
# https://github.com/PyFilesystem/pyfilesystem2/issues/577
# Issue for unpinning: https://github.com/openedx/openedx-platform/issues/38068
setuptools<82

# Date 2026-03-02
# The latest version of pylint pins back astroid to an older version.
# This holdback is not caught in the docs requirements file and since both the docs
# and testing file are required in the development.in file, we fail to compile
# development.txt because of conflicting dependencies.
#
# Holding astroid back until pylint releases a new version that works with the latest
# version of astroid.
# https://github.com/openedx/openedx-platform/issues/38066
astroid==4.0.4