Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy on bugbears in usage of popular third party libraries #414

Open
Daverball opened this issue Sep 19, 2023 · 2 comments
Open

Policy on bugbears in usage of popular third party libraries #414

Daverball opened this issue Sep 19, 2023 · 2 comments
Labels
help wanted question

Comments

@Daverball
Copy link
Contributor

Daverball commented Sep 19, 2023
edited

Hi, currently flake8-bugbear seems to primarily (only?) contain errors/warnings either inherent to python code or constructs from the python stdlib, but there are some popular third party libraries, such as MarkupSafe which also have very common usage mistakes, that are almost certainly bugs.

For MarkupSafe there is an existing flake8-plugin, however it hasn't been updated in three years and isn't published on pypi, so I'd feel a little bit better if it was part of a larger, actively maintained project.

So for now I'd just like to get a feel what the maintainers stance on this is, and if detecting such errors are welcome additions, I would be happy to submit a PR for this MarkupSafe specific issue to begin with. It would also be nice to have a contribution policy alongside the development instructions, so it's easier to gauge if it's worth opening a pull request for new errors/warnings or it'd be better suited as a standalone plugin.
@cooperlees
Copy link
Collaborator

Hi,

Thanks for the interest here. I don't feel we should add specific checks for specific third party libraries to flake8-bugbear. I'm all about avoiding polices where we can, but we could add this decision to the README. I'd still life to hear others opinions here as I could be swayed.

The dedicated plugin seems a much better route. Have you tried contacting the author? They seem to list a twitter/X on their GitHub profile. If so and you've got no response, want to fork it and I can help you add CI + push to PyPI?

@Daverball
Copy link
Contributor Author

Daverball commented Sep 19, 2023
edited

The dedicated plugin seems a much better route. Have you tried contacting the author? They seem to list a twitter/X on their GitHub profile. If so and you've got no response, want to fork it and I can help you add CI + push to PyPI?

I haven't tried to reach out to them yet, no. I haven't taken a close look at the code or tried to see how robust their detection of bad Markup usage was yet.

It might make more sense to try to get this added to bandit anyways, considering how this more of a security issue, rather than just a regular bug, and there's plenty of precedent for rules that are specific to third party packages, such as Jinja, which depends on MarkupSafe. There is an older open pull request for flask.Markup which is an alias for markupsafe.Markup so I'll see if I can get something going there as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cooperlees @Daverball