Potential DEP005: Detect Poetry `extras` that are not listed under dependencies.

Question

Potential DEP005: Detect Poetry `extras` that are not listed under dependencies.

fpgmaas opened this issue a year ago · 3 comments

Is your feature request related to a problem? Please describe.

From the Poetry docs:

The dependencies specified for each extra must already be defined as project dependencies.

Dependencies listed in dependency groups cannot be specified as extras.

so e.g. this section seems to be invalid:

[tool.poetry.dependencies]
python = "^3.7.0"
pathable = "^0.4.0"
django = {version = ">=3.0", optional = true}
falcon = {version = ">=3.0", optional = true}
flask = {version = "*", optional = true}
isodate = "*"
more-itertools = "*"
parse = "*"
openapi-schema-validator = "^0.4.2"
openapi-spec-validator = "^0.5.0"
requests = {version = "*", optional = true}
werkzeug = "*"
typing-extensions = "^4.3.0"
jsonschema-spec = "^0.1.1"
backports-cached-property = {version = "^1.0.2", python = "<3.8" }
sphinx = {version = "^5.3.0", optional = true}
sphinx-immaterial = {version = "^0.11.0", optional = true}

[tool.poetry.extras]
docs = ["sphinx", "sphinx-immaterial"]
django = ["django"]
falcon = ["falcon"]
flask = ["flask"]
requests = ["requests"]
starlette = ["starlette", "httpx"]

This is an issue that we could detect with deptry.

Describe the solution you would like

Add DEP005.

Additional context

I started working on it in #399.

It might be good to first solve #398 though, which would make it easier to add new issues.

Answer 1 · 2023-05-16T20:15:39.000Z

The check itself is nice, but Poetry already provides a mechanism to report such issues through check command.

Given the file you shared as an example:

$ poetry check
Error: Cannot find dependency "starlette" for extra "starlette" in main dependencies.
Error: Cannot find dependency "httpx" for extra "starlette" in main dependencies.

Answer 2 · 2023-05-17T05:04:53.000Z

Nice, I actually was not aware of that! On the other hand; I don't think many people are aware of this, and I don't usually see this implemented in a CI/CD pipeline. For example; we do not run this for deptry, and the project I linked also does not seem to have run poetry check.

Since it is a simple check to implement, it might be worthwhile to check for this issue anyway.

On the other hand we should be cautious for 'scope creep', and not try to implement many checks for which tools already exist.

Answer 3 · 2023-05-23T21:33:24.000Z

Nice, I actually was not aware of that! On the other hand; I don't think many people are aware of this, and I don't usually see this implemented in a CI/CD pipeline. For example; we do not run this for deptry, and the project I linked also does not seem to have run poetry check.

Since it is a simple check to implement, it might be worthwhile to check for this issue anyway.

On the other hand we should be cautious for 'scope creep', and not try to implement many checks for which tools already exist.

Maybe we could mention that this check exists in the documentation? Not sure where exactly, but considering that the check is both specific to Poetry and already handled by the tool itself, I do feel that implementing the check would be like reinventing the wheel.

But I don't have a strong objection implementing the check if you think this is still worth pursuing, although if we were to do that, we could probably use a different set of error codes (like DEP1XX, with the first one being DEP101) to better convey that this is part of a potential set of error codes that are specific to Poetry (so we could have DEP102 if we were to have more).