mozilla / bleach

Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
https://bleach.readthedocs.io/en/latest/
Other
2.65k stars 251 forks source link

bug: hardcoded dev dependency versions breaks mypy usage #679

Closed q-wertz closed 2 years ago

q-wertz commented 2 years ago

Describe the bug

I'm having an indirect bleach dependency in my code. Due to the usage of poetry my mypy version is restricted to "mypy (==0.961)" by bleach. This mypy version is not compatible with positional-only parameters (see https://github.com/python/mypy/issues/13627).

Thus I cannot use mypy anymore.

It would be nice if you could update your dev dependencies: https://github.com/mozilla/bleach/blob/6cd4d527a6b43569c1e1490e632500199b1efb6c/setup.py#L42

python and bleach versions (please complete the following information):

To Reproduce

Steps to reproduce the behavior:

Numpy uses these kind of parameters so it is sufficient to run mypy on a script that imports numpy:

  1. Create new file test.py
    import numpy
  2. Run mypy test.py

Expected behavior

mypy does what it should do

willkg commented 2 years ago

I don't understand why this would be an issue. Are you installing the dev dependencies?

q-wertz commented 2 years ago

As far as I understand it poetry also tracks the dev dependencies from used libraries and groups them in the dev group to which also the packages that I need for developing are added. So when I install the dev dependencies the most restricted version of mypy is installed (which is the one from bleach in my case).

willkg commented 2 years ago

Huh. That sounds like an unhelpful behavior for Poetry. Unless you're doing development on Bleach, the tools for your application shouldn't be tracking Bleach dev dependencies.

I'll look at redoing how Bleach tracks dev dependencies.

q-wertz commented 2 years ago

I think it was an issue on my side. Sorry for the noise.

willkg commented 2 years ago

Glad you figured something out! I will change how we manage dev dependencies in the next update soon.