False positive: How can this be a violation?

[josefsabl]

The PHP code:

<?php

declare(strict_types=1);

final class Foo extends Bar
{
}

class Bar
{
    private function getBaz(): Baz {
        return new Baz();
    }
}

final class Baz
{
}

depfile.yml

paths:
  - /

layers:
  - name: Foo
    collectors:
      - type: className
        regex: ^Foo$

  - name: Bar
    collectors:
      - type: className
        regex: ^Bar$

  - name: Baz
    collectors:
      - type: className
        regex: ^Baz$

ruleset:
  Foo:
    - Bar

  Bar:
    - Baz

  Baz: ~

Result of analysis:

Foo must not depend on Baz (Foo on Baz)
/sandbox/Bar.php::8
	Bar::5 -> 
	Baz::8
Foo must not depend on Baz (Foo on Baz)
/sandbox/Bar.php::7
	Bar::5 -> 
	Baz::7

Looks like the fact that the method is private is ignored. I would understand this as violation if it was protected.

[josefsabl]

What is worse, the Bar class don't need to expose the dependency in its interface at all. It looks like it just need to use it internally to trigger the violation.

<?php

declare(strict_types=1);

final class Foo extends Bar
{
}

class Bar
{
    private function whatever() {
        $theBaz = new Baz();
    }
}

final class Baz
{
}

This also triggers the violation for same configuration.

[smoench]

This is an indirect dependency. Deptrac does is only a static analyser and doesn't know about the runtime path. I could imagine the private function is being used by a protected or public method in Bar which itself is being used by Foo or will be promoted to the public methods of Foo. If none of this is true this method is probably unused and can be safely deleted or you have might have a bad abstraction.