Skip to content

ci: Pin transitive dependencies for tests on Python>=3.8#6437

Merged
alexander-alderman-webb merged 30 commits into
masterfrom
webb/populate-tox/transitive-dependencies
Jun 2, 2026
Merged

ci: Pin transitive dependencies for tests on Python>=3.8#6437
alexander-alderman-webb merged 30 commits into
masterfrom
webb/populate-tox/transitive-dependencies

unpin setuptools

47200a7
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: find-bugs completed May 29, 2026 in 19m 20s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

`rstrip(".tar.gz")` strips individual chars instead of the suffix - `scripts/populate_tox/populate_tox.py:14`

At line 732 (_has_free_threading_dependencies), wheel_filename.rstrip(".tar.gz") removes any character from the set {'.','t','a','r','g','z'} from the right — not the literal suffix .tar.gz. For a sdist like foo-2.0a.tar.gz it would strip the trailing a from the version, corrupting the package name/version split. Use removesuffix(".tar.gz") (already used correctly at line 700 for .whl).

⏱ 19m 6s · 1.3M in / 79.0k out · $2.57

Annotations

Check warning on line 14 in scripts/populate_tox/populate_tox.py

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: find-bugs

`rstrip(".tar.gz")` strips individual chars instead of the suffix 

At line 732 (`_has_free_threading_dependencies`), `wheel_filename.rstrip(".tar.gz")` removes any character from the set `{'.','t','a','r','g','z'}` from the right — not the literal suffix `.tar.gz`. For a sdist like `foo-2.0a.tar.gz` it would strip the trailing `a` from the version, corrupting the package name/version split. Use `removesuffix(".tar.gz")` (already used correctly at line 700 for `.whl`).
View more details on @sentry/warden