Problem
`requirements.txt` lists 15 packages. Only two are directly imported anywhere in the source tree:
- `Flask` — production runtime
- `pytest` — test-only
The other 13 (`blinker`, `click`, `colorama`, `exceptiongroup`, `iniconfig`, `itsdangerous`, `Jinja2`, `MarkupSafe`, `packaging`, `pluggy`, `tomli`, `typing_extensions`, `Werkzeug`) are transitive dependencies of Flask or pytest. They get installed automatically; pinning them by hand makes the file noisy and creates work the next time pip resolves a different transitive set.
Two adjacent issues:
- `pytest` is in `requirements.txt`, so production users following the README's `pip install -r requirements.txt` step get a test framework they don't need.
- The README and CI both rely on a single-file install, so there's no place to declare dev-only deps cleanly.
Suggested fix
- `requirements.txt`: keep `Flask` only (pinned).
- New `requirements-dev.txt`: `-r requirements.txt` + `pytest` (pinned).
- Update `.github/workflows/ci.yml` to `pip install -r requirements-dev.txt`.
- Update README install instructions to reference the dev file when running tests.
- Add a tiny test that boots the Flask app under `app.test_client()` to prove the production install set is sufficient (catches the case where someone adds a real `from werkzeug.X import Y` later — would surface as a missing transitive on a future Flask bump).
Severity
Low / 1pt.
Problem
`requirements.txt` lists 15 packages. Only two are directly imported anywhere in the source tree:
The other 13 (`blinker`, `click`, `colorama`, `exceptiongroup`, `iniconfig`, `itsdangerous`, `Jinja2`, `MarkupSafe`, `packaging`, `pluggy`, `tomli`, `typing_extensions`, `Werkzeug`) are transitive dependencies of Flask or pytest. They get installed automatically; pinning them by hand makes the file noisy and creates work the next time pip resolves a different transitive set.
Two adjacent issues:
Suggested fix
Severity
Low / 1pt.