ci: Pin transitive dependencies for tests on Python>=3.8#6437
2 issues
Medium
try/except only catches DryRunFailed, leaving json.JSONDecodeError unhandled when pip succeeds with non-JSON output - `scripts/populate_tox/populate_tox.py:1233-1237`
If uv/pip exits with code 0 but emits non-JSON output (e.g. warnings that slip through -qqq), json.loads in _run_pip_dry_run raises json.JSONDecodeError, which is not caught by except DryRunFailed here and will crash the entire script instead of skipping that python version gracefully. Have you considered widening the except clause to also catch json.JSONDecodeError (and possibly KeyError)?
`rstrip(".tar.gz")` strips individual chars instead of the suffix - `scripts/populate_tox/populate_tox.py:14`
At line 732 (_has_free_threading_dependencies), wheel_filename.rstrip(".tar.gz") removes any character from the set {'.','t','a','r','g','z'} from the right — not the literal suffix .tar.gz. For a sdist like foo-2.0a.tar.gz it would strip the trailing a from the version, corrupting the package name/version split. Use removesuffix(".tar.gz") (already used correctly at line 700 for .whl).
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 54.0s | $0.31 |
| code-review | 1 | 5m 16s | $1.02 |
| find-bugs | 1 | 19m 6s | $2.60 |
| skill-scanner | 0 | 17.1s | $0.17 |
⏱ 25m 33s · 2.0M in / 109.5k out · $4.10