Dependency policy¶
Keep runtime dependencies small and justified. benchmatrix currently depends on pytest and pytest-benchmark because it is a pytest-benchmark integration layer.
Runtime dependencies¶
Add a runtime dependency only when it is needed by installed users. Prefer the standard library for small utilities.
Development dependencies¶
Development dependencies are split by concern in pyproject.toml:
testfor pytest support and test-only libraries;lintfor Ruff and pre-commit orchestration;typefor basedpyright;docsfor MkDocs and API documentation generation;securityfor Bandit, deptry, detect-secrets, and pip-audit;releasefor build, Twine, and SBOM tooling;automationfor nox.
The dev group includes all focused groups, so the default uv sync --locked
workflow still installs the complete local development environment. Tooling
should not overlap without a clear reason.
Updates¶
Dependency updates should include:
- lockfile update;
make check;make test-matrixwhen compatibility may be affected;- changelog entry when users or maintainers need to know.
Dependabot opens routine weekly update pull requests for Python, Node, pre-commit, GitHub Actions, Docker, and devcontainer dependencies. Review those pull requests like any other dependency change: confirm the scope is expected, let CI finish, and require a human merge decision.
Minor and patch updates are grouped where Dependabot supports grouping. Major updates are intentionally left as separate pull requests so compatibility and security implications are easier to review.
Vulnerabilities¶
pip-audit failures should be triaged by severity, exploitability, and whether the affected dependency is runtime or development-only. See the dependency-update and security-report runbooks for operational steps.