Add dependency safeguards: deptry, pre-commit, declare pandas#492
Add dependency safeguards: deptry, pre-commit, declare pandas#492
Conversation
- Declare pandas explicitly in pyproject.toml (used directly by metatraits transform, was only resolved transitively via pyobo/kgx) - Add deptry to dev dependencies for catching undeclared imports - Add .pre-commit-config.yaml wiring up ruff, codespell, and deptry - Add [tool.deptry] config excluding notebooks and docs dirs Closes #491 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds explicit dependency and developer tooling safeguards to prevent undeclared/transitive dependency breakage and to enforce repo hygiene via pre-commit.
Changes:
- Declare
pandasas a direct runtime dependency. - Add
deptryto dev dependencies and configure it to excludenotebooks/anddocs/. - Introduce
.pre-commit-config.yamlto runruff,codespell, anddeptryvia hooks.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
pyproject.toml |
Adds pandas and deptry, plus deptry config exclusions. |
.pre-commit-config.yaml |
Wires ruff, codespell, and deptry into pre-commit. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - id: ruff-format | ||
|
|
There was a problem hiding this comment.
This introduces ruff-format in pre-commit, but the repo’s existing formatting workflow uses black (see tox.ini testenv:format). Unless the project is intentionally migrating away from Black, this will lead to inconsistent formatting between pre-commit and tox -e format/developer workflows; consider either adding a Black pre-commit hook or updating tox/config to use Ruff formatter consistently (and align line-length settings).
| - id: ruff-format | |
| - repo: https://github.com/psf/black | |
| rev: 24.4.2 | |
| hooks: | |
| - id: black |
| - tomli | ||
|
|
||
| - repo: https://github.com/fpgmaas/deptry | ||
| rev: 0.23.0 |
There was a problem hiding this comment.
The pre-commit hooks pin specific tool versions (ruff-pre-commit rev and deptry rev), but pyproject.toml allows much older versions (e.g., ruff = ">=0.2.1", deptry = ">=0.16.0"). This can cause confusing drift where poetry run ruff/deptry behaves differently from pre-commit; consider pinning the Poetry dev dependency versions to match the hook revs (or vice versa) to keep results consistent.
| rev: 0.23.0 | |
| rev: 0.16.0 |
| @@ -35,6 +36,7 @@ jupyter-contrib-nbextensions = "^0.7.0" | |||
| python-sql = "^1.4.2" | |||
| ipython-sql = "^0.5.0" | |||
| ruff = ">=0.2.1" | |||
| deptry = ">=0.16.0" | |||
There was a problem hiding this comment.
pandas and deptry are added/updated in pyproject.toml, but this PR doesn’t update poetry.lock. With a committed lockfile, poetry install (including CI) will fail with a "pyproject.toml changed significantly" error until the lock is regenerated and committed (e.g., poetry lock / poetry update pandas deptry).
Summary
pandasexplicitly inpyproject.toml— used directly by the metatraits transform but was only resolved transitively through pyobo/kgxdeptryto dev dependencies to catch undeclared imports and stale deps.pre-commit-config.yamlwiring upruff,codespell, anddeptry(all three were configured in pyproject.toml but not enforced via hooks)[tool.deptry]config excluding notebooks and docs dirsContext
Found while reviewing the
poetry.lockdiff in #490 — 7K lines changed with only 1 declared new dep. Opened as #491.Note: GitHub reports 33 known vulnerabilities on the default branch. Adding
pip-auditorsafetyas a follow-up would help catch these in CI.Closes #491
Test plan
poetry installresolves cleanly with the newpandasdeclarationpre-commit run --all-filespasses (or surfaces known issues to fix)deptry .reports no undeclared transitive imports🤖 Generated with Claude Code