pdurlej/fallow-py
1
0
Fork 0
Code Issues 65 Pull requests 8 Projects Releases Packages Wiki Activity Actions

[P1][phase:b] Dependency-manifest classification: requirements*.txt is not runtime; local/stub modules are not third-party #117

New issue
Open
opened 2026-06-15 22:56:49 +02:00 by claude · 0 comments
claude commented 2026-06-15 22:56:49 +02:00
Collaborator
Copy link

Source: evidence-derived from the 2026-06-15 real-world precision audit (docs/dogfood/real-world-precision-2026-06-15.md).

Problem

The dependency-hygiene rules misclassify two kinds of input:

  1. requirements*.txt read as runtime-dependency manifests. runtime-dependency-used-only-in-tests measured 0% precision (7/7 FP) — every finding came from treating a dev/test/docs pin file as a runtime declaration.
  2. Local modules / stub namespaces read as third-party distributions. from settings import *, import apps, from _typeshed import ... are flagged as missing third-party packages.

Evidence (real repos)

  • httpx/requirements.txt (header literally: "Used in our test cases") → chardet, cryptography, trustme, uvicorn flagged as "runtime dependency used only in tests"
  • celery/requirements/test.txt, celery/requirements/docs.txtmoto, sphinx-testing flagged the same way
  • django-oscar/sandbox/settings_postgres.py: from settings import *settings flagged as a missing third-party package (it is the local sandbox settings.py)
  • django-oscar/sandbox/urls.py: from apps.sitemaps import ...apps flagged as third-party (it is a local package)
  • flask, pydantic, httpx: from _typeshed import ...typeshed flagged as a missing dependency (_typeshed is a typeshed-internal stub namespace, never an installable package)

Proposed fix

  1. Only treat [project.dependencies] (PEP 621) / install_requires as runtime declarations. Do not read requirements*.txt, requirements/*.txt, or test/docs extras as the runtime manifest.
  2. Resolve local modules before flagging third-party: if an import target resolves to a module within the analyzed roots (or a sibling top-level module like settings/apps in the same tree), it is not a missing third-party dependency.
  3. Exclude known stub-only namespaces (_typeshed, and anything only reachable under TYPE_CHECKING) from dependency rules — analogous to the stdlib exclusion.

Acceptance criteria

  • No requirements*.txt entry is reported as a runtime dependency.
  • Local modules (settings, apps, relative imports) are never flagged missing-runtime-dependency.
  • _typeshed is never flagged as a missing dependency.
  • benchmarks/fp-cases/requirements-txt-not-runtime/ and .../local-module-not-dist/ fixtures added and pass.

Priority

P1. Systematic and fully deterministic to fix; removes an entire class of confident-but-wrong findings on the dependency rules.

Opened by claude (Opus 4.8) from the 2026-06-15 precision audit. Audit PR: #113.

**Source:** evidence-derived from the 2026-06-15 real-world precision audit (`docs/dogfood/real-world-precision-2026-06-15.md`). ## Problem The dependency-hygiene rules misclassify two kinds of input: 1. **`requirements*.txt` read as runtime-dependency manifests.** `runtime-dependency-used-only-in-tests` measured **0% precision** (7/7 FP) — every finding came from treating a dev/test/docs pin file as a runtime declaration. 2. **Local modules / stub namespaces read as third-party distributions.** `from settings import *`, `import apps`, `from _typeshed import ...` are flagged as missing third-party packages. ### Evidence (real repos) - `httpx/requirements.txt` (header literally: *"Used in our test cases"*) → `chardet`, `cryptography`, `trustme`, `uvicorn` flagged as "runtime dependency used only in tests" - `celery/requirements/test.txt`, `celery/requirements/docs.txt` → `moto`, `sphinx-testing` flagged the same way - `django-oscar/sandbox/settings_postgres.py`: `from settings import *` → `settings` flagged as a missing third-party package (it is the local sandbox `settings.py`) - `django-oscar/sandbox/urls.py`: `from apps.sitemaps import ...` → `apps` flagged as third-party (it is a local package) - `flask`, `pydantic`, `httpx`: `from _typeshed import ...` → `typeshed` flagged as a missing dependency (`_typeshed` is a typeshed-internal stub namespace, never an installable package) ## Proposed fix 1. **Only treat `[project.dependencies]` (PEP 621) / `install_requires` as runtime declarations.** Do not read `requirements*.txt`, `requirements/*.txt`, or test/docs extras as the runtime manifest. 2. **Resolve local modules before flagging third-party**: if an import target resolves to a module within the analyzed roots (or a sibling top-level module like `settings`/`apps` in the same tree), it is not a missing third-party dependency. 3. **Exclude known stub-only namespaces** (`_typeshed`, and anything only reachable under `TYPE_CHECKING`) from dependency rules — analogous to the stdlib exclusion. ## Acceptance criteria - No `requirements*.txt` entry is reported as a runtime dependency. - Local modules (`settings`, `apps`, relative imports) are never flagged `missing-runtime-dependency`. - `_typeshed` is never flagged as a missing dependency. - `benchmarks/fp-cases/requirements-txt-not-runtime/` and `.../local-module-not-dist/` fixtures added and pass. ## Priority **P1.** Systematic and fully deterministic to fix; removes an entire class of confident-but-wrong findings on the dependency rules. --- *Opened by `claude` (Opus 4.8) from the 2026-06-15 precision audit. Audit PR: #113.*
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
codex/phase-b-fp-reductions
codex/self-dogfood-shim-suppression
issue-96-diff-scope-filtering-tests
issue-102-report-invariants-tests
issue-97-parse-error-generation
issue-98-deterministic-cycles-tests
issue-99-stable-data-tests
claude/adr-0013-blocking-precision
claude/dogfood-real-world-precision-2026-06-15
issue-83-84-doctor-markdown
claude/docs/cousin-onboarding-pointer
codex/dogfood-evidence-cockpit
codex/first-run-doctor
codex/model-loop-benchmark-harness
codex/rule-explainability
codex/deletion-fingerprint-safety
codex/decision-contract-27
codex/dogfood-evidence-hygiene
codex/root-sandbox-safety-6-7
codex/dogfood-evidence-aggregator-29
codex/public-readiness-post-rename
rename/repo-url-cleanup
rename/cli-config-docs
rename/package-fallow-py
rename/adr-umbrella-branding
codex/perf-profile-benchmark-41
codex/mcp-cache-signature-40
codex/deepseek-triage-backlog-35
v0.3.0a3
Labels
Clear labels   
area:ci
CI workflows, packaging, release

  
area:docs
README, philosophy, dogfood, rules ref

  
area:engineering
Code, AST, graph, MCP runtime

  
area:framework-fp
False-positive heuristics for frameworks

  
area:test-coverage
Dedicated tests for critical modules

  
dogfood:fn
Dogfood evidence: false negative (missed)

  
dogfood:fp
Dogfood evidence: false positive

  
dogfood:friction
Dogfood: UX friction

  
dogfood:tp
Dogfood evidence: true positive (real catch)

  
phase:b
Phase B - engineering hardening

  
phase:c
Phase C - Show HN polish

  
severity:critical
Silent bugs, data loss, security

  
severity:high
Real defects, FP confirmed, crashes

  
severity:low
Hygiene, perf micro-opts

  
severity:medium
Hardening, drift detection, edge cases

  
source:deepseek-v4-pro
Items triaged from the DeepSeek v4 Pro repository audit

No labels
area:ci
area:docs
area:engineering
area:framework-fp
area:test-coverage
dogfood:fn
dogfood:fp
dogfood:friction
dogfood:tp
phase:b
phase:c
severity:critical
severity:high
severity:low
severity:medium
source:deepseek-v4-pro
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/fallow-py#117
No description provided.