Pin oldestdeps in tox.ini to exact versions?

[mhvk]

Description

Issue #15788 arose because our minimum required erfa was not quite correct. This was not caught because in tox.ini, we have set our oldestdeps to things like pyerfa==2.0.*, which means bug-fix releases are included. Conceptually, this seems wrong: oldestdeps should test with with exactly the absolute minimum version that is allowed by our requirements. If that means that something doesn't work because of a bug, logically our minimum requirements should be updated as well.

Question: does this make sense? Should we update tox.ini and pyproject.toml with version numbers that include bug-fix micro?

[pllim]

I think it has both good and bad.

Would have been avoided if pyerfa uses semver, no?

[pllim]

I am okay with pinning pyerfa to exact in oldestdeps but I would be hesistant to make this a blanket policy. Sometimes a bugfix includes critical security fix and we would want those.

[mhvk]

I am okay with pinning pyerfa to exact in oldestdeps but I would be hesistant to make this a blanket policy. Sometimes a bugfix includes critical security fix and we would want those.

But in that case shouldn't we adjust our minimum required version? I see oldestdeps as just ensuring that we do not inadvertently break what should work... Anyway, I'm really not sure...

Separately, would be nice if tox.ini could auto-grab those versions from pyproject.toml...

[pllim]

I vaguely remember that @WilliamJamieson wrote something that automatically create pinning for tox from build requirements... 🤔