Lock package versions

[augustak]

We should make sure that we require the oldest version possible of packages that doesn't contain any (known) security vulnerabilities