Debexpo currently only hints about lower version bound (taken from buster).
However, this allow testing release to be installed from pypi. We had the case recently where celery published a release candidate for the next major that broke the worker (5.0.0rc1).
Since we are targeting buster and sid, we should only deal with version present in Debian. As such, I've added upper bound preventing installing new major version from pypi while developing. (While allowing updates for minor and patch versions)
I've also added a test for the CI to detect fetching of external dependencies. If triggered, this will indicated that a new major has been uploaded to Debian and an update to the dependencies bounds are required (as well as some testing).