Add rules to check for dependencies missing a minimum version in `pyproject.toml`

[namurphy]

Suggestion

Add rules to check that:

• Each required dependency has a minimum allowed version
• Each optional dependency has a minimum allowed version
• Each dependency group dependency has a minimum allowed version

Motivation

Specifying the minimum allowed version of dependencies is a really helpful practice, though it's somewhat common for packages to not specify the minimum versions of its dependencies (for example, in the scientific pythoniverse).

The lowest and lowest-direct resolution strategies of uv solve for an environment with the lowest allowed versions of all dependencies and direct dependencies, respectively.

I've found the lowest resolution strategy to be fraught with peril since, in practice, it requires that all indirect dependencies list a minimum allowed version for each of their dependencies. If not, then some packages will be installed with their first release on PyPI (like v0.0.0.1 😅) which often is missing critical features.

Alternative possibilities

It would be great to have an autofix, though I'd propose including it in uv (e.g., astral-sh/uv#7515) since it would likely require querying PyPI.

Gratitude

Thank you to everyone for creating a wonderful package!

[ntBre]

Sounds reasonable to me, although we don't currently have much infrastructure for linting pyproject.toml files. I found a somewhat related issue in #9988, but it's focused on upper bounds rather than lower bounds.

And thank you for the kind words!