Split cloud storage and notification clients into optional extras #2155
Description
Is your feature request related to a problem? Please describe.
We use elementary-data[redshift] on an AWS-only stack. Installing elementary forces base dependencies that are irrelevant to our environment — google-cloud-storage (which pulls in google-auth, pyasn1, pyasn1-modules, rsa, and 6 more Google packages), azure-storage-blob (+ azure-core), and pymsteams.
These unused transitive dependencies regularly trigger CVE findings in vulnerability scanners (e.g., Trivy) and block our deployment pipelines. For example, pyasn1 v0.6.2 (CVE-2026-30922) was recently flagged — a package we don't use but can't avoid installing.
Describe the solution you'd like
Move cloud storage and notification clients behind optional extras:
[project.optional-dependencies]
s3 = ["boto3"]
gcs = ["google-cloud-storage"]
azure = ["azure-storage-blob"]
slack = ["slack-sdk"]
teams = ["pymsteams"]Users would then install only what they need: elementary-data[redshift,s3,slack]
Describe alternatives you've considered
We currently use uv's exclude-dependencies to strip out google-cloud-storage and azure-storage-blob at install time. This works but is fragile — it shifts the maintenance burden to every consumer and must be re-verified on each elementary upgrade.
Additional context
The current base dependencies include clients for all three cloud providers (boto3, google-cloud-storage, azure-storage-blob) and both notification backends (slack-sdk, pymsteams), regardless of which dbt adapter extra is selected. The extras only control database adapters today.
Would you be willing to contribute this feature?
Yes, happy to submit a PR.