chore(deps): drop unused mock and types-setuptools

[omercnet]

Summary

Audit of every declared dependency vs actual import sites surfaced two packages that aren't used by anything in this repo. Drop them.

Package	Group	Status	Evidence
mock==5.2.0	dev	unused	All mock.Mock() / mock.patch calls come from from unittest import mock (stdlib). Zero ^import mock or ^from mock in tests/, samples/, or descope/. The third-party mock package is a backport for Python <3.3 — irrelevant since we require 3.9+.
types-setuptools==75.8.2.20250305	types	unused	Zero import setuptools, import pkg_resources, import distutils anywhere. Was originally needed for typing the pkg_resources fallback in http_client.sdk_version, which was removed in #1453 once we standardized on importlib.metadata.

What stays

Verified each remaining dep is actually imported:

• httpx — descope/http_client.py etc. (4 src files)
• certifi — descope/http_client.py (certifi.where() for SSL CA bundle)
• pyjwt[crypto] — descope/auth.py, descope/jwt_common.py (imported as import jwt)
• email-validator — descope/auth.py
• Flask (extra) — descope/flask/__init__.py, samples
• pre-commit, ruff, mypy — actual CI/dev tooling
• coverage[toml] — invoked directly in CI as uv run coverage run -m pytest
• pytest-cov — supports the --cov form documented in README (intentionally added in refactor: migrate from poetry to uv #1453)

Knock-on cleanup

Drops Apache Software License from [tool.pylic].safe_licenses. types-setuptools was the only installed package whose metadata used that long-form name; remaining Apache-licensed deps (coverage, cryptography) declare Apache-2.0 which is already listed.

Why this matters

Several open Renovate PRs are bumping types-setuptools (#777 v82, #776 v81, #573 v80, #567 v79, #553 v78, etc). They've all been failing CI for unrelated reasons but they're also pure noise — the dep is unused. Closing this gap kills the noise at the source.

Verification

• uv sync --all-extras --locked — clean (60 → 60 - 3 packages)
• uv run ruff check . / ruff format --check — clean
• uv run mypy descope tests samples — no issues (107 files)
• uv run pytest tests — 458 passed on Python 3.9 and 3.13
• uv run --with pylic pylic check — ✨ All licenses ok ✨

[shuni-bot-dev]

🐕 Review complete — View session on Shuni Portal 🐾

[shuni-bot-dev]

🐕 Shuni's Review

Drops two unused dev/types deps (mock, types-setuptools) and the now-redundant Apache Software License safe-license alias.

No issues found — good bones! Verified:

• Zero import mock / from mock in the tree (tests use stdlib unittest.mock)
• Zero setuptools / pkg_resources / distutils imports
• Apache-2.0 SPDX entry still covers remaining Apache deps after types-setuptools (the lone Apache Software License long-form package) is gone

Woof! 🦴

[Copilot]

Pull request overview

Removes two unused development/type-checking dependencies (mock, types-setuptools) from the project’s dependency declarations and lockfile, and simplifies license allow-listing accordingly.

Changes:

• Drop mock from the dev dependency group and from uv.lock (tests use unittest.mock from the standard library).
• Drop types-setuptools from the types dependency group and from uv.lock (no setuptools/pkg_resources usage remains).
• Remove the redundant Apache Software License entry from [tool.pylic].safe_licenses after dependency cleanup.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Removes unused deps from dependency groups and updates pylic safe license list.
uv.lock	Regenerates the lock to reflect removal of mock, types-setuptools, and the now-unneeded setuptools entry.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Coverage report

The coverage rate went from 98.37% to 98.37% ➡️

None of the new lines are part of the tested code. Therefore, there is no coverage data about them.