Ensure that dev dependencies are not used in production

[sobolevn]

poetry has dependencies and dev-dependencies. In development we can import packages from both sections. But, in production we cannot use packages in dev-dependencies.

I think that dev-dependencies should be checked to be blacklisted if we are running a production check.

[arkq]

Im not as such familiar with flake8 usage, but is there any way to determine "production" check? Maybe some other plug-in already has such flake8 option, so flake8-requirements could check it as well?

[sobolevn]

I am not aware of any existing solutions in this field. We can add extra flag --requirements-production-mode which will indicate that we are running in the production environment.

[Dreamsorcerer]

Maybe some way to specify allowed directories or similar. For example, in my projects, dev dependencies typically only get used under the tests/ directory and a _localdev module.

So, maybe if you could do something in the config along the lines of:

requirements-file = requirements.txt:[],requirements-dev.txt:[tests/, _localdev/]

Meaning that tests/ and _localdev/ will be checked against requirements-dev.txt, while the rest of the code would be checked against requirements.txt.