search

astral-sh / ruff

An extremely fast Python linter and code formatter, written in Rust.
https://docs.astral.sh/ruff
MIT License
33.15k stars 1.11k forks source link

new rule - detect uv dev dependencies being used in production code #6971

Open DetachHead opened 1 year ago

DetachHead commented 1 year ago

in my project, i was importing from dev dependencies in intended to be used by users of my module:

# public_module.py
from foo import bar
# pyproject.toml
[tool.poetry.group.dev.dependencies]
foo = "^1.0.0"

because of this, all my tests were passing because the dependency existed, but the moment a user tried to use it, it crashed because the module was not installed.

it would be nice if ruff had a rule to detect this like this eslint plugin does

KotlinIsland commented 1 year ago

Not just dev, but any non-main group

DetachHead commented 1 year ago

also pdm dev dependencies:

[tool.pdm.dev-dependencies]
lint = ["foo>=1.0.0"]
indigoviolet commented 1 year ago

Same issue exists with rye:

[tool.rye]
managed = true
dev-dependencies = [
    "ipykernel>=6.24.0",
...
zanieb commented 1 year ago

I foresee the major issue here being that dependency names do not map one-to-one with imported module names. How can we know which maps to which statically?

charliermarsh commented 1 year ago

Unfortunately not possible to know that in advance (unless we hard-code a database of lookups) -- you need access to the built distribution or the virtual environment.

KotlinIsland commented 1 month ago

@charliermarsh now that astral controls the entire stack, couldn't uv be used to resolve this?

UnknownPlatypus commented 1 month ago

I believe https://github.com/fpgmaas/deptry does this and supports Uv, poetry, pip and pdm. (And btw, it's relying on ruff parser for the import detections)

DetachHead commented 1 month ago

thanks, though it would be nice if this functionality was built into ruff, mainly for its language server so that the errors it reports can be visible in your IDE