Pin mypy_primer dependency in pyproject.toml? #10
Description
Mypy_primer is locked to an exact SHA in this repo's uv.lock file, but uv doesn't respect external lockfiles when installing packages into an environment. So despite the fact that ecosystem-analyzer is pinned to an exact SHA in Ruff's CI here, and the fact that we pin an exact SHA of mypy_primer in Ruff's CI here, I believe Ruff's ecosystem-analyzer workflow always installs an unpinned version of mypy_primer due to the fact that mypy_primer is unpinned in this repository's pyproject.toml file. We could consider pinning mypy_primer to an exact SHA in this repo's pyproject.toml file, for better supply-chain security.
(If uv implemented astral-sh/uv#5815 then we could just get uv to respect ecosystem-analyzer's lockfile when installing ecosystem-analyzer in Ruff's CI, but I'm not sure that's on their immediate roadmap.)