properly pin dependencies

[ldruschk]

using >= for pre-1.0-dependencies is a bad idea when they might introduce backwards compatibility breaking changes

[Trolldemorted]

How does python manage transitive deps?

Don't you want to use pipenv lock or something similar in the downstream projects? Would that lock our deps to specific versions too? I am sure you remember the dns bug in $httpfoolib, we don't want that again 😇

Edit: this might go into a separate issue

[ldruschk]

Usually you would run pip freeze > requirements.txt, which leads to pinning all downstream projects as well