ci: Pin transitive dependencies for tests on Python>=3.8#6437
2 issues
find-bugs: Found 2 issues (2 medium)
Medium
`.split("-")` on sdist filename in `_has_free_threading_dependencies` crashes for multi-hyphen package names - `scripts/populate_tox/populate_tox.py:13`
In _has_free_threading_dependencies (populate_tox.py ~line 730), when a transitive dependency only ships as a source distribution, the code does:
package_release = wheel_filename.rstrip(".tar.gz")
dependency_name, dependency_version = package_release.split("-")The unpack assumes exactly two parts. For any sdist whose package name contains a hyphen (e.g. azure-core-1.29.5.tar.gz, google-auth-2.x.y.tar.gz, typing-extensions-...tar.gz), split("-") yields ≥3 elements and raises ValueError: too many values to unpack (expected 2), aborting tox generation for that combination.
Use package_release.rsplit("-", 1) to split off only the version (PEP 440 versions never contain - in this context once the sdist filename is formed). Note also that rstrip(".tar.gz") is character-based and will over-strip filenames ending in characters from {., t, a, r, g, z} (e.g. foo-1.0.tar.gz → foo-1.0 ok, but foobar-1.0.tar.gz → foobar-1.0 also ok; however foo-1.2.tar.gz is fine while a name like boto3-... is fine — but the pattern is still fragile and should be removesuffix(".tar.gz")).
Constraints passed to `fetch_package_dependencies` are silently ignored when the disk cache has a prior unconstrained entry - `scripts/populate_tox/populate_tox.py:934-939`
When _render_transitive_dependencies calls fetch_package_dependencies with a non-empty constraints tuple, _fetch_package_dependencies_from_cache ignores constraints in its key lookup, so a prior unconstrained disk-cache entry (e.g. one written by _has_free_threading_dependencies for the same (package, version, "3.14t") triple) is returned as-is, silently discarding the constraints and producing incorrect pinned transitive dependencies for that Python version.
⏱ 19m 21s · 2.1M in / 102.2k out · $4.36
Annotations
Check warning on line 13 in scripts/populate_tox/populate_tox.py
sentry-warden / warden: find-bugs
`.split("-")` on sdist filename in `_has_free_threading_dependencies` crashes for multi-hyphen package names
In `_has_free_threading_dependencies` (populate_tox.py ~line 730), when a transitive dependency only ships as a source distribution, the code does:
```python
package_release = wheel_filename.rstrip(".tar.gz")
dependency_name, dependency_version = package_release.split("-")
```
The unpack assumes exactly two parts. For any sdist whose package name contains a hyphen (e.g. `azure-core-1.29.5.tar.gz`, `google-auth-2.x.y.tar.gz`, `typing-extensions-...tar.gz`), `split("-")` yields ≥3 elements and raises `ValueError: too many values to unpack (expected 2)`, aborting tox generation for that combination.
Use `package_release.rsplit("-", 1)` to split off only the version (PEP 440 versions never contain `-` in this context once the sdist filename is formed). Note also that `rstrip(".tar.gz")` is character-based and will over-strip filenames ending in characters from `{., t, a, r, g, z}` (e.g. `foo-1.0.tar.gz` → `foo-1.0` ok, but `foobar-1.0.tar.gz` → `foobar-1.0` also ok; however `foo-1.2.tar.gz` is fine while a name like `boto3-...` is fine — but the pattern is still fragile and should be `removesuffix(".tar.gz")`).
Check warning on line 939 in scripts/populate_tox/populate_tox.py
sentry-warden / warden: find-bugs
Constraints passed to `fetch_package_dependencies` are silently ignored when the disk cache has a prior unconstrained entry
When `_render_transitive_dependencies` calls `fetch_package_dependencies` with a non-empty `constraints` tuple, `_fetch_package_dependencies_from_cache` ignores `constraints` in its key lookup, so a prior unconstrained disk-cache entry (e.g. one written by `_has_free_threading_dependencies` for the same `(package, version, "3.14t")` triple) is returned as-is, silently discarding the constraints and producing incorrect pinned transitive dependencies for that Python version.