Jon

Any update on this PR? I'd much rather not bundle known exploits.

@ljharb Is there some public analysis that I can read which supports that conclusion?

That does assume that all inputs are known to be good though. In my case that's fine, but as a general stance I don't think that's good.

You're welcome to reopen the issue, but solved my issue by using some bash to replace the include/exclude logic.

@bittner Whoops. Reopened for ya. If it helps the conversation here's the bash/git logic I ended up with ``` bandit -iii -lll $(git diff --name-only $(git log remotes/origin/master..HEAD --oneline |...

> Why `NamedTemporaryFile` instead of `mkstemp`? Just following the guidance on the python doc. I can switch over to `mkstemp` if you'd prefer, that may resolve the weirdness issues as...

> The documentation warning recommending the use of `NamedTemporaryFile` predates the deprecation. The actual deprecation note suggests `mkstemp`: > > > Deprecated since version 2.3: Use mkstemp() instead. So it...

Ok, pushed a few commits. Back to `NamedTemporaryFile` in the existing try-catch, Bandit -B306 has been removed, and I tried to get rid of the twisted `mktemp`

💄 applied

Smashed this down to one commit and in the process somehow `test_spider_custom_settings_log_append` got marked as a new function. I can rebase on a newer master if you like. Locally I...