shotgunsoftware · julien-lang · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 9, 2026
diff --git a/.snyk b/.snyk
diff --git a/.travis.yml.disabled b/.travis.yml.disabled
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -35,10 +35,11 @@ jobs:
       - name: tk-framework-desktopclient
       - name: tk-shotgun
     extra_test_dependencies:
-      # Required when binary dependencies are not bundled
-      - attrs==22.2.0    # Fix version. Otherwise tk-ci-tools will install latest
-      - Twisted==22.10.0 # Last version supporting Python 3.7
-      - websocket-client==1.6.1 # Last version supporting Python 3.7
+      # CI installs dependencies from the dedicated Azure Pipelines
+      # requirements file, which must be kept in sync with the unified
+      # runtime requirements so CI-installed versions match what pkgs.zip
+      # bundles, preventing sys.modules version conflicts.
+      - --requirement=azure-pipelines/requirements.txt
     post_tests_steps:
       - task: Bash@3
         displayName: Run interpreter integration tests

diff --git a/azure-pipelines/requirements.txt b/azure-pipelines/requirements.txt
@@ -0,0 +1,25 @@
+# Test-environment dependencies for Azure Pipelines CI.
+# These supplement the pre-built pkgs.zip bundle and are not shipped with the
+# product.
+#
+# Note: attrs and Twisted versions must be kept in sync with
+# resources/python/requirements.txt.
+
+#-------------------------------------------------------------------------------
+# attrs
+# Pinned to prevent tk-ci-tools from upgrading to a newer version automatically.
+attrs==22.2.0
+
+#-------------------------------------------------------------------------------
+# Twisted
+# Must match the version bundled in pkgs.zip/src/ for each Python version.
+# A version mismatch causes a sys.modules conflict at runtime (see SG-42304).
+Twisted==22.10.0 ; python_version <  "3.9"
+Twisted==24.10.0 ; python_version >= "3.9" and python_version < "3.13"
+Twisted~=24.11.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# websocket-client
+# Test-only dependency (not bundled in pkgs.zip).
+websocket-client==1.6.1 ; python_version <  "3.9"  # Last version supporting Python 3.7
+websocket-client~=1.9.0 ; python_version >= "3.9"
diff --git a/resources/python/requirements.txt b/resources/python/requirements.txt
@@ -0,0 +1,124 @@
+# Targeted Python versions:
+#   - 3.7  (legacy)
+#   - 3.9  (VFX CY2022)
+#   - 3.10 (VFX CY2023)
+#   - 3.11 (VFX CY2024)
+#   - 3.13 (VFX CY2026)
+#
+# When updating a dependency, follow the process described in README.md.
+# CI handles regeneration automatically.
+# Note: Twisted and attrs are also pinned in azure-pipelines/requirements.txt
+# and must be kept in sync with the versions here.
+
+# ============================================================================ #
+# Direct dependencies
+#   Version constraints balance code compatibility and CVE requirements.
+#
+
+#-------------------------------------------------------------------------------
+# autobahn
+# CVE-2020-35678 - fixed in 20.12.3
+autobahn==22.12.1 ; python_version <  "3.13"
+autobahn~=24.4.2  ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# pyOpenSSL
+pyopenssl==25.0.0 ; python_version <  "3.13"
+pyopenssl~=25.0.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# Twisted
+# CVE-2022-21712 - fixed in 22.1
+# CVE-2022-24801 - fixed in 22.1
+# CVE-2024-41671 & CVE-2024-41810 - fixed in 24.10.0 - N/A for Python 3.7
+twisted==22.10.0 ; python_version <  "3.9" # Last version supporting 3.7
+twisted==24.10.0 ; python_version >= "3.9" and python_version < "3.13"
+twisted~=24.11.0 ; python_version >= "3.13"
+
+# ============================================================================ #
+# Selected sub-level dependencies
+#   CVE-driven: minimum versions (>= x.y.z).
+#   Other reasons (e.g. compatibility, bundling): pinned to a specific version.
+#
+
+#-------------------------------------------------------------------------------
+# attrs
+# Required by:
+#   → service-identity
+#   ↳ Twisted
+# Do not upgrade! The CI pipeline installs attrs==22.2.0 as a system-level test
+# dependency (see azure-pipelines/requirements.txt). pytest also imports attrs
+# early, caching it in sys.modules. From attrs 23.2.0,
+# `attrs/__init__.py` imports `Converter` from `attr`. If the bundled version is
+# newer than the cached one, that import fails with:
+#   ImportError: cannot import name 'Converter' from 'attr'
+# Twisted 24.x and autobahn 24.x only require attrs>=22.2.0, so this is safe.
+attrs==22.2.0
+
+#-------------------------------------------------------------------------------
+# certifi
+# Required by:
+#   → pyOpenSSL
+#   ↳ Twisted
+# Pinned to match the version bundled with FPT Desktop
+certifi==2026.1.4
+
+#-------------------------------------------------------------------------------
+# cffi
+# Required by:
+#   → cryptography → autobahn
+#                  ↳ pyOpenSSL
+#                  ↳ service-identity
+cffi>=1.15.1 ; python_version <  "3.13"
+cffi>=1.17.1 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# cryptography
+# Required by:
+#   → autobahn
+#   ↳ pyOpenSSL
+#   ↳ service-identity
+# CVE-2023-2650  - fixed in 41.0.0
+# CVE-2023-4807  - fixed in 41.0.5
+# CVE-2023-5678  - fixed in 41.0.7
+# CVE-2023-49083 - fixed in 41.0.7
+# CVE-2024-2511  - fixed in 43.0.1
+# CVE-2024-4603  - fixed in 43.0.1
+# CVE-2024-6119  - fixed in 43.0.1
+# CVE-2024-12797 - fixed in 44.0.1
+cryptography>=44.0.1
+
+#-------------------------------------------------------------------------------
+# hyperlink
+# Required by:
+#   → autobahn
+#   ↳ Twisted
+hyperlink>=21.0.0
+
+#-------------------------------------------------------------------------------
+# idna
+# Required by:
+#   → hyperlink → autobahn
+#               ↳ Twisted
+# CVE-2024-3651 - fixed in 3.7
+idna>=3.7 ; python_version <  "3.13"
+idna>=3.8 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# service-identity
+# Required by:
+#   → Twisted
+service-identity>=21.1.0 ; python_version <  "3.13"
+service-identity>=24.2.0 ; python_version >= "3.13"
+
+#-------------------------------------------------------------------------------
+# six
+# Required by: service-identity
+# service-identity 24.x (Python 3.13+) no longer requires six
+six==1.16.0 ; python_version < "3.13"
+
+#-------------------------------------------------------------------------------
+# zope.interface
+# Required by: Twisted
+zope.interface>=5.5.2 ; python_version <  "3.13"
+zope.interface>=7.1.0 ; python_version >= "3.13"
diff --git a/resources/python/requirements/3.10/requirements.txt b/resources/python/requirements/3.10/requirements.txt
diff --git a/resources/python/requirements/3.11/requirements.txt b/resources/python/requirements/3.11/requirements.txt
diff --git a/resources/python/requirements/3.13/requirements.txt b/resources/python/requirements/3.13/requirements.txt
diff --git a/resources/python/requirements/3.7/requirements.txt b/resources/python/requirements/3.7/requirements.txt
diff --git a/resources/python/requirements/3.9/requirements.txt b/resources/python/requirements/3.9/requirements.txt
diff --git a/resources/python/update_requirements.py b/resources/python/update_requirements.py
@@ -133,9 +133,7 @@ def _get_dependencies_to_install(self):
 
         try:
             # pip install all the requirements into the build subfolder.
-            self._pip("install -r requirements/{}/requirements.txt".format(
-                self._python_version_dot_format
-            ))
+            self._pip("install -r requirements.txt")
             print("All dependencies installed.")
 
             # list everything that was installed.