All 6 packages were fully unpinned, allowing a compromised upstream
release to silently introduce malicious code on `pip install`. Pin to
current stable versions to ensure reproducible, auditable builds.
Co-authored-by: Claude Code <noreply@anthropic.com>