Compiler should refuse to publish a package that uses a dev-dependency in its source

[JonasGruenwald]

I mistakenly published a package including modules that import dev-dependencies, as I didn't know I had to put them under the /test directory.

During publishing I got these warnings

warning: Transitive dependency imported
  ┌─ /Users/jonas/Projects/chrobot/src/chrobot/internal/download_protocol.gleam:9:1
  │
9 │ import gleam/http/request
  │ ^^^^^^^^^^^^^^^^^^^^^^^^^

The module `gleam/http/request` is being imported, but `gleam_http`, the
package it belongs to, is not a direct dependency of your package.
In a future version of Gleam this may become a compile error.

Run this command to add it to your dependencies:

    gleam add gleam_http


warning: Transitive dependency imported
   ┌─ /Users/jonas/Projects/chrobot/src/chrobot/internal/download_protocol.gleam:10:1
   │
10 │ import gleam/httpc
   │ ^^^^^^^^^^^^^^^^^^

The module `gleam/httpc` is being imported, but `gleam_httpc`, the package
it belongs to, is not a direct dependency of your package.
In a future version of Gleam this may become a compile error.

Run this command to add it to your dependencies:

    gleam add gleam_httpc

But the package was published regardless.

According to @hayleigh-dot-dev on discord:

can you open an issue on the compiler repo. i think the compiler should refuse to publish a package that uses a dev-dependency in its source!

[lpil]

gleam_http is also a regular dependency in your project. If it was only a dev dep it would refuse to publish.

[JonasGruenwald]

@lpil hm but how? it's not listed under dependencies?

https://github.com/JonasGruenwald/chrobot/blob/v1.0.0/gleam.toml#L12

If I create a new project right now and add to my gleam.toml

[dependencies]
gleam_stdlib = ">= 0.34.0 and < 2.0.0"
chrobot = "1.0.0"

And run gleam run

I get:

error: Unknown module
  ┌─ /Users/jonas/Projects/temp/issue_3143/build/packages/chrobot/src/chrobot/internal/download_protocol.gleam:9:1
  │
9 │ import gleam/http/request
  │ ^^^^^^^^^^^^^^^^^^^^^^^^^

No module has been found with the name `gleam/http/request`.

This is on version 1.0.0 of chrobot, I had fixed it in the version after.

[JonasGruenwald]

Is it the manifest file that has this information?
It may be that I moved it to from regular to dev dependencies in the gleam.toml but then forgot to run whatever command is required (I guess gleam update)

[lpil]

As the warning there says it is transitive. I would recommend not publishing a package that had warnings.

[JonasGruenwald]

It does say that, I don't see how that would be possible, since if the dep was transitive it would still be installed alongside my package and not cause this error, also I can't see any of my dependencies depending on it unless I'm missing something.

But anyways nevermind, I agree that it was my mistake to ignore the warning, was just told specifically to open this issue so I did :)

[lpil]

Oh! Then there is a bug somewhere. I am rather confused since gleam publish builds in production mode. I think some deps are leaking into that somewhere now.

[JonasGruenwald]

Alright :) Here are some proper steps to reproduce, seems to actually not be related to me messing with the gleam.toml

1. Create project gleam new issue_3143
2. Add dev dependency gleam add --dev justin
3. Use it inside src

// src/issue_3143.gleam
import gleam/io
import justin

pub fn main() {
  io.println(justin.snake_case("HelloWorld"))
}

5. Fill out the required fields in gleam.toml related to publishing
6. Run gleam publish

Output:

~/Projects/temp/issue_3143 → gleam publish
The repository configuration in your `gleam.toml` file does not appear to be
valid, https://github.com/JonasGruenwald/issue_3143 returned status 404 Not Found

Do you wish to continue? [y/n]: y

  Compiling gleam_stdlib
  Compiling gleeunit
  Compiling justin
  Compiling issue_3143

warning: Transitive dependency imported
  ┌─ /Users/jonas/Projects/temp/issue_3143/src/issue_3143.gleam:2:1
  │
2 │ import justin
  │ ^^^^^^^^^^^^^

The module `justin` is being imported, but `justin`, the package it belongs
to, is not a direct dependency of your package.
In a future version of Gleam this may become a compile error.

Run this command to add it to your dependencies:

    gleam add justin

   Compiled in 0.68s
 Generating documentation

Generated files:
  - src/issue_3143.app.src
  - src/issue_3143.erl

Source files:
  - README.md
  - gleam.toml
  - src/issue_3143.gleam

Name: issue_3143
Version: 1.0.0

Do you wish to publish this package? [y/n]: y
https://hex.pm username:
https://hex.pm password (will not be printed as you type):
# I left the fields empty so it failed to publish at that point, but I believe it should not get to there?

Expected Behaviour

gleam publish should refuse to publish the package

Actual Behaviour

Gleam warns that the added dev dependency is a transitive dependency, which is not true, and does not prevent publishing.