Jered Floyd writes:
I've noticed the django-allauth ecosystem seems to be somewhat prone to breaking changes. I'm sure this discussion has happened before, but it may be worth pinning "known good" dependency versions for django-mailman
That's a double-edged sword, of course, because you will not get security upgrades etc either.
It seems to me that we generally only pin when there's a strong sense that the incompatibility will continue into the future. My sense is that it's not that allauth is subject to breaking changes (ie, deliberate backward incompatibility), more that it's prone to bugs that affect Mailman. In this case we see that django-allauth responded promptly with what appears to be a release to address this problem. I think that validates our past practice.
I think it's a good idea to keep a known-good requirements.txt from pip freeze around, but I'm not sure we should provide it.