fpgmaas/deptry

Deptry should warn if a package is listed as dependency and dev-dependency.

MaxG87 opened this issue · 1 comments

MaxG87 commented

I have a project where by accident I listed requests both as production and development dependency. The error I got was a bit confusing, because it complains that I use modules from development dependencies. This is not wrong, but also not quite fitting.

I would like deptry to explicit cover this case. There should be a section in the output reading There are modules listed both in your regular and the development dependencies. or similar.

Note: There is an edge case where two listings are indeed intended. See my next issue for more details.

Minimal pyproject.toml:

[tool.poetry]
name = "mwe"
version = "v4.1.2"
description = ""
authors = ["John Doe"]

[tool.poetry.dependencies]
python = "^3.10"
requests = "^2.28.2"

[tool.poetry.group.dev.dependencies]
requests = "^2.28.2"
deptry = "^0.8.0"

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

Output of poetry run deptry . in a project with at least one import requests under src/:

Scanning 1 files...
There was 1 dependency issue found.

-----------------------------------------------------

There are imported modules from development dependencies detected:

	requests

Consider moving them to your project's 'regular' dependencies. If this is not correct and the dependencies listed above are indeed development dependencies, it's likely that files were scanned that are only used for development purposes. Run `deptry -v .` to see a list of scanned files.

-----------------------------------------------------

Dependencies and directories can be ignored by passing additional command-line arguments. See `deptry --help` for more details.
Alternatively, deptry can be configured through `pyproject.toml`. An example:

    ```
    [tool.deptry]
    ignore_obsolete = [
        "foo"
    ]
    ignore_missing = [
        "bar"
    ]
    ignore_transitive = [
        "baz"
    ]
    extend_exclude = [
        ".*/foo/",
        "bar/baz.py"
    ]
    ```

For more information, see the documentation: https://fpgmaas.github.io/deptry/
If you have encountered a bug, have a feature request or if you have any other feedback, please file a bug report at https://github.com/fpgmaas/deptry/issues/new/choose
mkniewallner commented

I wonder if this is a good idea to implement this check. Even outside the case of defining different extras in the dev dependency definition, there probably are valid reasons to depend on a dependency for a library with a specific lower bound, but also depend on the library for dev dependencies, on a specific version.

For instance, in a library, one could want:

[tool.poetry.dependencies]
python = ">=3.7"
black = ">=22.1.0"

[tool.poetry.group.dev.dependencies]
black = "23.3.0"

in case the library itself depends on black, but for dev tools locally, an explicit version is required to format the code with black.

We could limit the check to warning only in case the dependency is defined twice with the exact same definition (same version/range/markers/etc.), but it would probably be an edge case that is not worth maintaining.