From 463622c644f4bd238a61c88be28887ac85e729de Mon Sep 17 00:00:00 2001
From: Vadim Malanov <vadim.malanov@gmail.com>
Date: Wed, 13 May 2026 17:12:15 +0300
Subject: [PATCH] deps: tighten version ranges, pin Docling to <2.15

Docling's DocumentConverter shape (text_items, prov[0].page_no,
export_to_markdown signature) still moves between 2.x minor releases.
Cap docling to >=2.0.0,<2.15 so a wheel bump cannot silently break
the defensive walkers in app/ingestion/docling_extractor.py until a
staging smoke test has run against the new minor.

Every other runtime dep gets the same major/minor upper bound:
- web/api: fastapi <0.117, uvicorn <0.33, pydantic <3
- db: sqlalchemy <2.1, psycopg <3.3, alembic <1.14
- search: opensearch-py <3, qdrant-client <1.13
- ingest: ocrmypdf <17, pikepdf <10, pypdf <6
- ml: FlagEmbedding <2, sentence-transformers <4, transformers <5,
      torch <3, numpy <3
- ops/utils: structlog <26, orjson <4, httpx <0.29, click <9

Lift any specific upper bound only after the corresponding regression
test passes on a staging upgrade.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 67 +++++++++++++++++++++++++++-----------------------
 1 file changed, 36 insertions(+), 31 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index fb3ffdc..38897e7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,54 +12,59 @@ license = { text = "Apache-2.0" }
 readme = "README.md"
 
 dependencies = [
-    "fastapi>=0.115.0",
-    "uvicorn[standard]>=0.30.0",
-    "pydantic>=2.7.0",
-    "pydantic-settings>=2.4.0",
+    "fastapi>=0.115.0,<0.117",
+    "uvicorn[standard]>=0.30.0,<0.33",
+    "pydantic>=2.7.0,<3",
+    "pydantic-settings>=2.4.0,<3",
     "python-multipart>=0.0.9",
 
     # DB
-    "sqlalchemy>=2.0.30",
-    "psycopg[binary]>=3.2.0",
-    "alembic>=1.13.0",
+    "sqlalchemy>=2.0.30,<2.1",
+    "psycopg[binary]>=3.2.0,<3.3",
+    "alembic>=1.13.0,<1.14",
 
     # Object storage
-    "minio>=7.2.7",
+    "minio>=7.2.7,<8",
 
     # Search/index
-    "opensearch-py>=2.6.0",
-    "qdrant-client>=1.10.0",
+    "opensearch-py>=2.6.0,<3",
+    "qdrant-client>=1.10.0,<1.13",
 
     # Workers
-    "celery>=5.4.0",
-    "redis>=5.0.7",
+    "celery>=5.4.0,<6",
+    "redis>=5.0.7,<6",
 
-    # Ingestion
-    "ocrmypdf>=16.4.0",
-    "pikepdf>=9.0.0",
-    "pypdf>=4.3.0",
+    # Ingestion - pin Docling tight since its DocumentConverter API
+    # still moves between minor releases; lift the upper bound only
+    # after a smoke test on a staging corpus.
+    "ocrmypdf>=16.4.0,<17",
+    "pikepdf>=9.0.0,<10",
+    "pypdf>=4.3.0,<6",
     "pdfminer.six>=20240706",
-    "docling>=2.0.0",
+    "docling>=2.0.0,<2.15",
 
-    # ML
-    "FlagEmbedding>=1.3.0",
-    "sentence-transformers>=3.0.0",
-    "torch>=2.2.0",
-    "numpy>=1.26.0",
-    "transformers>=4.42.0",
+    # ML - pin Flag/sentence-transformers/transformers within the
+    # families that have been verified against the reranker contract
+    # tests. Torch follows the family-major pin to keep CUDA wheels
+    # discoverable.
+    "FlagEmbedding>=1.3.0,<2",
+    "sentence-transformers>=3.0.0,<4",
+    "torch>=2.2.0,<3",
+    "numpy>=1.26.0,<3",
+    "transformers>=4.42.0,<5",
 
     # Misc
-    "httpx>=0.27.0",
-    "tenacity>=8.5.0",
-    "structlog>=24.2.0",
-    "orjson>=3.10.0",
+    "httpx>=0.27.0,<0.29",
+    "tenacity>=8.5.0,<10",
+    "structlog>=24.2.0,<26",
+    "orjson>=3.10.0,<4",
     "python-magic>=0.4.27; platform_system != 'Windows'",
     "python-magic-bin>=0.4.14; platform_system == 'Windows'",
-    "langdetect>=1.0.9",
+    "langdetect>=1.0.9,<2",
     "regex>=2024.5.15",
-    "rich>=13.7.1",
-    "tqdm>=4.66.4",
-    "click>=8.1.7",
+    "rich>=13.7.1,<14",
+    "tqdm>=4.66.4,<5",
+    "click>=8.1.7,<9",
 ]
 
 [project.optional-dependencies]