bug: hardcoded dev dependency versions breaks mypy usage

[q-wertz]

Describe the bug

I'm having an indirect bleach dependency in my code. Due to the usage of poetry my mypy version is restricted to "mypy (==0.961)" by bleach. This mypy version is not compatible with positional-only parameters (see https://github.com/python/mypy/issues/13627).

Thus I cannot use mypy anymore.

It would be nice if you could update your dev dependencies: https://github.com/mozilla/bleach/blob/6cd4d527a6b43569c1e1490e632500199b1efb6c/setup.py#L42

python and bleach versions (please complete the following information):

• Python Version: 3.10.7
• Bleach Version: 5.0.1

To Reproduce

Steps to reproduce the behavior:

Numpy uses these kind of parameters so it is sufficient to run mypy on a script that imports numpy:

1. Create new file test.py

   import numpy

2. Run mypy test.py

Expected behavior

mypy does what it should do

[willkg]

I don't understand why this would be an issue. Are you installing the dev dependencies?

[q-wertz]

As far as I understand it poetry also tracks the dev dependencies from used libraries and groups them in the dev group to which also the packages that I need for developing are added. So when I install the dev dependencies the most restricted version of mypy is installed (which is the one from bleach in my case).

[willkg]

Huh. That sounds like an unhelpful behavior for Poetry. Unless you're doing development on Bleach, the tools for your application shouldn't be tracking Bleach dev dependencies.

I'll look at redoing how Bleach tracks dev dependencies.

[q-wertz]

I think it was an issue on my side. Sorry for the noise.

[willkg]

Glad you figured something out! I will change how we manage dev dependencies in the next update soon.