Eric Brown

However, I also found that the oldest version of Python 3.8, 3.8.0, which Bandit officially still supports does include an older, vulnerable version of expat 2.2.8: https://github.com/python/cpython/blob/v3.8.0/Modules/expat/expat.h#L1016 The same can...

Expat 2.4.1 wasn't added to Python 3.8 till 3.8.12. Similar for 3.9, not until 3.9.7.

FYI, in my testing, I have found that this change significantly sped up scans of 4 test repos I used. It skipped many files that the default exclude didn't catch....

> Should probably support hgignore too Is there much use of Mercurial anymore? Also, we'd have to find and pull in a new dependency to parse .hgignore files since GitPython...

FYI, also opened an issue on GitPython to support ignored files sizes above ARG_MAX. https://github.com/gitpython-developers/GitPython/issues/1790

I'd argue this is a good improvement into usability of Bandit. For many projects that use tox, they already have .tox in their .gitignore, so with this addition, it helps...

We can also utilize ignorelib (https://pypi.org/project/ignorelib/) instead of GitPython which could make the code cleaner and not depend on GitPython which shells out to run a command.

I'm not able to reproduce on macOS. What operating system are you using? What is the value of your TERM environment variable? ``` Erics-MacBook-Pro-2:examples ericwb$ pre-commit run --all-files bandit...................................................................Failed -...

Yes, if you look back at PR #743 that created this new check, there was concern over introducing such a low confidence plugin. The best course of action for now...

Should be fixed with #1011