Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening suggestions for codemodder-python / dep-hashes #274

Merged
merged 1 commit into from
Feb 21, 2024

Conversation

pixeebot[bot]
Copy link
Contributor

@pixeebot pixeebot bot commented Feb 18, 2024

I've reviewed the recently opened PR (273 - Requirements.txt writer adds hashes and a way to remember to update codemodder deps) and have identified some area(s) that could benefit from additional hardening measures.

These changes should help prevent potential security vulnerabilities and improve overall code quality.

Thank you for your consideration!

docs | feedback
Powered by: pixeebot



def get_package_hashes(package_name: str, version: str) -> list[str]:
"""
Fetch the SHA256 hashes for a given package version from PyPI.
"""
url = f"https://pypi.org/pypi/{package_name}/{version}/json"
response = requests.get(url)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add timeout to requests call

pyproject.toml Outdated Show resolved Hide resolved
@@ -35,8 +35,7 @@ def main():
continue

package_name, version = arg.split("==", 1)
hashes = get_package_hashes(package_name, version)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaces multiple expressions involving if operator with 'walrus' operator.

@drdavella
Copy link
Member

@clavedeluna I'd like to drop the commit that adds the security package but otherwise go ahead with this PR.

Base automatically changed from dep-hashes to main February 21, 2024 15:22
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@drdavella drdavella enabled auto-merge February 21, 2024 18:52
@drdavella drdavella added this pull request to the merge queue Feb 21, 2024
Merged via the queue into main with commit 951a640 Feb 21, 2024
11 checks passed
@drdavella drdavella deleted the pixeebot/dep-hashes branch February 21, 2024 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants