Consider code complexity tracking, and other tools.

[jenstroeger]

Tools like Wily and Radon allow to track code complexity metrics, e.g. based on cyclomatic complexity or Halstaed’s complexity metrics. It might make sense to track these (and other?) metrics to measure software maintainability.

In addition, e.g. Bandit or dlint might be useful additions?

[jenstroeger]

See also the Complexity section of Awesome flake8 plugins. There’s also the wemake-python-styleguide plugin which acts as a wrapper around a bunch of other tools and plugins…

In addition, e.g. Bandit or dlint might be useful additions?

PR #214 adds Bandit as git commit hook.

[jenstroeger]

It probably makes sense to consider the pip-audit package too (see discussion).

[jenstroeger]

It probably makes sense to consider the pip-audit package too (see discussion).

Played around with it, and the tools looks useful:

> pip-audit 
Found 2 known vulnerabilities in 2 packages
Name     Version ID             Fix Versions
-------- ------- -------------- ------------
lxml     4.7.1   PYSEC-2022-230 4.9.1
waitress 2.1.1   PYSEC-2022-205 2.1.2

However, I wouldn’t use it as a commit hook because dependecies don’t change that often. Instead, it would probably make sense to add it to our Makefile:

python-package-template/Makefile

Lines 80 to 86 in c754175

	.PHONY: upgrade force-upgrade
	upgrade: .venv/upgraded-on
	.venv/upgraded-on: pyproject.toml
	python -m pip install --upgrade pip
	python -m pip install --upgrade wheel
	python -m pip install --upgrade --upgrade-strategy eager --editable .[hooks,dev,test,docs]
	$(MAKE) upgrade-quiet

Call git-audit right after the packages have been updated:

python -m pip_audit

However, if a pip-audit run fails then it fails setting up a venv during an Action run and thereby fails the Action 🤔

[jenstroeger]

Moving PR #377 over here (and closing): I stumbled upon the dependency-review-action which looked useful. Not sure if build.yaml is a good place, or better pr-change-set.yaml. What do you think, @behnazh?

[behnazh]

Another tool too consider is guarddog.

[jenstroeger]

And then there’s super-linter, which looks rather interesting too 🤓

[jenstroeger]

pylint offers a number of optional checkers which we can review. I didn’t find a list of additional, third-party checkers though…

[jenstroeger]

There’s also Ruff which incorporates lint and flake and various checkers in one single tool.

[jenstroeger]

Another interesting tool is import-linter that checks if user-specified import contracts are met by the code.

[jenstroeger]

And perflint looks like a useful pylint plugin, too.