jenstroeger
Consider code complexity tracking, and other tools.
Tools like Wily and Radon allow to track code complexity metrics, e.g. based on cyclomatic complexity or Halstaed’s complexity metrics. It might make sense to track these (and other?) metrics to measure software maintainability.
In addition, e.g. ~Bandit~ or dlint might be useful additions?
See also the Complexity section of Awesome flake8 plugins. There’s also the wemake-python-styleguide plugin which acts as a wrapper around a bunch of other tools and plugins…
In addition, e.g. Bandit or dlint might be useful additions?
PR #214 adds Bandit as git commit hook.
It probably makes sense to consider the pip-audit package too (see discussion).
Played around with it, and the tools looks useful:
> pip-audit
Found 2 known vulnerabilities in 2 packages
Name Version ID Fix Versions
-------- ------- -------------- ------------
lxml 4.7.1 PYSEC-2022-230 4.9.1
waitress 2.1.1 PYSEC-2022-205 2.1.2
However, I wouldn’t use it as a commit hook because dependecies don’t change that often. Instead, it would probably make sense to add it to our Makefile:
https://github.com/jenstroeger/python-package-template/blob/c7541754294c634cd807068ffaf37bd0279cbb52/Makefile#L80-L86
Call git-audit right after the packages have been updated:
python -m pip_audit
However, if a pip-audit run fails then it fails setting up a venv during an Action run and thereby fails the Action 🤔
Moving PR https://github.com/jenstroeger/python-package-template/pull/377 over here (and closing): I stumbled upon the dependency-review-action which looked useful. Not sure if build.yaml is a good place, or better pr-change-set.yaml. What do you think, @behnazh?
pylint offers a number of optional checkers which we can review. I didn’t find a list of additional, third-party checkers though…
Another interesting tool is import-linter that checks if user-specified import contracts are met by the code.