Django: Fix up Pipenv dependency pinning

[gdude2002]

As it stands right now, we're pinning dependencies down to the current segment we want, using the "compatible release" specifier.

django = "~=2.2"

What this means is that Pipenv will update Django to 2.3 and other 2.x releases, avoiding any 3.x or later releases. However, we really want to pin to the patch version (or "micro" version, as Pipenv calls it for some reason) - so we should instead be pinning as follows:

django = "~=2.2.0"

This will allow automatic updates to 2.2.x versions, but not 2.3.x and so on.

[gdude2002]

@Akarys42 commented:

Why you doesn't use django < 3.0.0?

The "compatible release" specifier basically allows you to take advantage of how semantic versioning works.

If you look at a version number, for example 1.2.3, the version has three sections - major.minor.patch.

Major version increments are allowed to be quite breaking, they can include entire rewrites or removals of APIs and generally anything supporting or working with the software in question will also need to be rewritten.

Minor version increments also allow for breaking changes, but these are minor breaking changes - For example, a fix to an API method that removes or adds a parameter. These are usually addressed by your project with a simple change or set of simple changes.

Patch version increments do not allow for breaking changes. They are for bugfixes only. They should not change the public-facing APIs, and so your software should be able to project update to patch version releases without any changes.

---

The "compatible version" specifier given above allows us to decide what level of stability we require from our dependencies. Using the example given above..

django = "~=2.2.0"

...we are specifying that we want releases that are compatible with 2.2.0. What this means is that we are targeting 2.2.0 and any patch releases only. We are allowing for updates to 2.2.1, 2.2.2 and so on, but not 2.3.0 or 3.0.0.

If we used your suggestion...

django = "<3.0.0"

We would be targeting anything lower than 3.0.0 - so we would get updated to 2.3.0, 2.4.0, and so on - which could potentially cause breakages. We don't want that - we should be able to review breaking versions as and when we have the time and need to update to them.

---

Not sure why you deleted your comment, but I hope that helps!