Fail on non-dev packages with executables that are only used within `bin/`

matthewnitschke-wk commented 3 months ago

Motivation

Closes #106
Closes #99

Changes

dependency_validator passes if there is a non-dev (dependencies:) dep, that contains executables, but is only referenced within the bin/ directory

Under the following conditions, the dependency should be downgraded to a dev_dependency, and dependency_validator exits with a non-zero exit code

[!IMPORTANT] Merging this PR has a chance to break existing implementations, we may want to do this as a major, depending on how best we want to support current implementations of dep validator

aviary-wf commented 3 months ago

Security Insights

No security relevant content was detected by automated scans.

Action Items

Review PR for security impact; comment "security review required" if needed or unsure
Verify aviary.yaml coverage of security relevant code

Questions or Comments? Reach out on Slack: #support-infosec.

matthewnitschke-wk commented 2 months ago

This feature has been absorbed in the #111 branch

Workiva / dependency_validator