Pinning dependencies per OSSF security practices and coverting to ASCII

[timmiesmith]

https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies recommends explicitly pinning dependencies to reduce several security risks.

Line endings in the file were inconsistent so I converted them all to ASCII instead of a mix of CR and CRLF line endings.

[danhoeflinger]

LGTM,
I checked that these version numbers are the current versions of these libraries.

[mmichel11]

LGTM

Edit: See below

[mmichel11]

These dependencies actually seem impossible to fulfill based on the CI failure:

    The user requested sphinx==4.4.0
    breathe 4.9.1 depends on Sphinx>=1.4
    sphinx-book-theme 1.1.2 depends on sphinx>=5

Would increasing the required sphinx version resolve this?

[danhoeflinger]

These dependencies actually seem impossible to fulfill based on the CI failure:

    The user requested sphinx==4.4.0
    breathe 4.9.1 depends on Sphinx>=1.4
    sphinx-book-theme 1.1.2 depends on sphinx>=5

Would increasing the required sphinx version resolve this?

That may have unintended consequences. May be best to figure out which version of these was currently being used prior to this PR and just use those version numbers.

[danhoeflinger]

Looking at another PR, it looks like this is correct (after rolling back to versions which work):
sphinx_book_theme==1.0.1
sphinx-tabs==3.4.5
sphinx-prompt==1.5.0
sphinx_substitution_extensions==2022.2.16

[timmiesmith]

Thanks. The version numbers I selected had been pulled from a previous PR, but I'm not able to find that PR now. Looking at the PR from depandabot earlier today I do see that it used the same version numbers you've listed above.

[danhoeflinger]

I think it initially tries the numbers you originally had, but then backs them off later in the script due to dependencies.

[danhoeflinger]

LGTM