Pinned dependencies on package install #14
Description
When pipx or uv go to install the tool, they determine the version of dependencies to install based on the project.dependencies section in pyproject.toml/the generic packaging metdata. At the moment we only specify lower bounds there for most packages. This should be okay in general, and when we know there's an issue with a particular package, we can add upper bounds or pin to a specific version.
But we develop and test mostly against the specific versions pinned in uv.lock, it might be nice if we could lock down the installs to these versions to avoid surprises.
Direct solutions
For uv, maybe astral-sh/uv#8729 (or something like the mentioned build plugin there).
Indirect solutions
One approach might be to run uv export --format requirements-txt --no-dev --no-editable --output-file cli-requirements.txt on package/lockfile updates.
If then fetched, for pipx could then maybe pipx inject nava-platform-cli -r cli-requirements.txt.
Or we could use that cli-requirements.txt to then update the project.dependencies section in pyproject.toml? Which is sub-optimal and makes updating more of a pain.