DP006: HasUpperBounds

Overview

Property	Value
ID	DP006
Name	HasUpperBounds
Group	dependencies
Severity	NOTE

Description

Checks that dependencies have upper version bounds to prevent unexpected breakage.

Dependencies without upper bounds can cause:

• Unexpected failures when major versions are released
• Incompatible API changes breaking your code
• Difficult-to-debug production issues

What it checks

The check scans pyproject.toml dependencies for missing upper bounds:

# BAD - no upper bounds
dependencies = [
    "requests>=2.28.0",
    "numpy>=1.24.0",
]

# GOOD - has upper bounds
dependencies = [
    "requests>=2.28.0,<3",
    "numpy>=1.24.0,<2",
    "click~=8.0",  # ~= implies upper bound
]

How to fix

Add upper version bounds to your dependencies:

Specifier	Meaning
>=2.28,<3	Version 2.28+ but not 3.x
~=2.28	Compatible release (implies <3.0)
>=2.28,<2.30	Narrow version range

Example fix

[project]
dependencies = [
    "requests>=2.28.0,<3",      # Instead of requests>=2.28.0
    "numpy>=1.24.0,<2",         # Prevents numpy 2.x breaking changes
    "click~=8.0",               # Compatible release operator
]

When upper bounds may not be needed

• Well-maintained packages - Some packages have excellent backwards compatibility
• Internal packages - When you control both sides of the dependency
• Rapid development - During early development before stabilization

Configuration

Skip this check

[tool.pycmdcheck]
skip = ["DP006"]

CLI

pycmdcheck --skip DP006

Related checks

• DP001 - NoPinnedDependencies
• DP002 - HasLockfile