Analyzer should provide a hint if an indirect package dependency is directly imported.

[stereotype441]

If the pubspec.yaml file specifies package A but not package B, and package A depends on package B, then pub will download package B into the "packages" directory (since it is an indirect dependency), and the user may import files from package B without error.

However, this creates a dangerous situation: if, in a later release of package A, the dependency on package B is dropped, then pub will stop downloading package B, and the user's code will break.

This exact situation recently occurred in the "analysis_server" project: in r35374, I started using the "mock" package to write analysis_server tests. Since analysis_server already contained a reference to "unittest" in its pubspec.yaml file, I was able to import 'package:mock/mock.dart' without any errors, warnings, or hints.

However, when unittest was upgraded to version 0.11.0, its dependency on mock was dropped, causing analysis_server to break the next time pub was run, in spite of the fact that analysis_server wasn't using any deprecated unittest features.

It would be nice if the analyzer provided a hint in this situation, to alert the user that they are making a direct import of a package that is an implicit dependency. The quick fix would be to add a clause to the pubspec.yaml file to make the dependency explicit.

[bwilkerson]

Added this to the Later milestone.
Removed Type-Defect, Priority-Unassigned labels.
Added Type-Enhancement, Priority-Medium labels.

[kasperl]

Removed this from the Later milestone.
Added Oldschool-Milestone-Later label.

[kasperl]

Removed Oldschool-Milestone-Later label.

[srawlins]

Maybe for the linter, which also has other pubspec lints?

[zoechi]

#57175
#57176

[srawlins]

Replaced with linter requests, as pointed out by @zoechi