Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip searching the pyproject.toml for dependencies if requirements-files is explicitly passed #1034

Closed
wants to merge 5 commits into from
Closed

Skip searching the pyproject.toml for dependencies if requirements-files is explicitly passed #1034

wants to merge 5 commits into from

Conversation

fpgmaas
Copy link
Owner

@fpgmaas fpgmaas commented Jan 23, 2025
edited
Loading

…licitly set by the user

PR Checklist

  • A description of the changes is added to the description of this PR.
  • If there is a related issue, make sure it is linked to this PR.
  • If you've fixed a bug or added code that should be tested, add tests!
  • If you've added or modified a feature, documentation in docs is updated

Description of changes

Currently, we search for dependencies in the following order:

    - Search for pyproject.toml with a [tool.poetry] section
    - Search for pyproject.toml with a [tool.uv.dev-dependencies] section
    - Search for pyproject.toml with a [tool.pdm.dev-dependencies] section
    - Search for pyproject.toml with a [project] section
    - Search for requirements.txt or requirements.in files

However, this causes issues for users who have a pyproject.toml with a valid configuration, but still want to use the requirements.txt file for their dependency scanning by deptry. At the same time, it is a bit strange that deptry searches the pyproject.toml for dependencies, even if the user explicitly passed the requirements-files parameter.

We could solve both issues by skipping the search for dependencies in pyproject.toml when the user specifies requirements-files explicitly.

@fpgmaas fpgmaas marked this pull request as draft January 23, 2025 15:36
@fpgmaas fpgmaas linked an issue Jan 23, 2025 that may be closed by this pull request
Add a way to ignore the pyproject.toml and only use the requirements.txt #911
Open
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.1%. Comparing base (9e4ecd1) to head (4f1149f).
Report is 9 commits behind head on main.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main   #1034   +/-   ##
=====================================
  Coverage   93.0%   93.1%           
=====================================
  Files         37      37           
  Lines        994    1000    +6     
  Branches      99     101    +2     
=====================================
+ Hits         925     931    +6     
  Misses        55      55           
  Partials      14      14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

fpgmaas
fpgmaas commented Jan 23, 2025
View reviewed changes
python/deptry/dependency_getter/builder.py
@@ -41,6 +43,15 @@ class DependencyGetterBuilder:
def build(self) -> DependencyGetter:
pyproject_toml_found = self._project_contains_pyproject_toml()

if not self.using_default_requirements_files:
if not self._any_requirements_files_exists():
raise FileNotFoundError( # noqa: TRY003
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added noqa here. Alternative of creating a class called RequirementsFilesSpecifiedExplicitlyButNotFound feels a bit superfluous 🙈

@fpgmaas fpgmaas requested a review from mkniewallner January 23, 2025 16:13
mkniewallner
mkniewallner reviewed Jan 23, 2025
View reviewed changes
Copy link
Collaborator

@mkniewallner mkniewallner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if it wouldn't be cleaner to expose a --package-manager <name> argument on the CLI to be able to enforce a specific manager if needed. This would have the benefit of being more generic, as it could solve the issue for any package manager.

@fpgmaas
Copy link
Owner Author

fpgmaas commented Jan 24, 2025
edited
Loading

I'm wondering if it wouldn't be cleaner to expose a --package-manager <name> argument on the CLI to be able to enforce a specific manager if needed. This would have the benefit of being more generic, as it could solve the issue for any package manager.

I think that also makes sense! The main reason I chose the approach in this PR is that as a user I'd find it counterintuitive that if I pass requirements-files, deptry still attempt to fetch dependencies from the pyproject.toml file. Adding a --package-manager would not directly solve that, although it does give the user a way to work around it.

Given the fact that it probably very rarely happens though, I agree a --package-manager flag would be better.

@fpgmaas fpgmaas closed this Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkniewallner mkniewallner mkniewallner left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add a way to ignore the pyproject.toml and only use the requirements.txt
2 participants
@fpgmaas @mkniewallner