
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
A static code analysis tool that detects dependency injection anti-patterns in Python projects. This linter helps enforce clean architecture principles by identifying direct instantiation or usage of project-specific dependencies within your code.
Dependency Injection is a design pattern where a class or function receives its dependencies from external sources rather than creating them internally. This pattern promotes:
This linter identifies cases where project-specific dependencies are directly created or used within functions or methods, rather than being injected as parameters. It helps enforce the principle that dependencies should be passed in, not created internally.
# BAD: Direct instantiation of project dependencies
from project.user.repo import UserRepository
def process_data():
repository = UserRepository() # DI001: Dependency injection
data = repository.get_all()
return data
# BAD: Direct usage of project module functions
from project.notifications import send_email
def send_notification():
send_email("user@example.com", "Hello") # DI001: Dependency injection
# BAD: Using context managers from project modules
from project.db import context_manager
def backup_data():
with context_manager(): # DI001: Dependency injection
# do something
pass
See more examples in my_module.py
# GOOD: Dependencies injected as parameters
def process_data(repository):
data = repository.get_all()
return data
# GOOD: Dependencies passed as arguments
def send_notification(email_sender):
email_sender("user@example.com", "Hello")
# GOOD: Context managers passed as parameters
def backup_data(context_manager):
with context_manager():
# do something
pass
pip install di-linter
di-linter path/to/project
di-linter --config-path di.toml
flake8 --select=DI path/to/your/project
The configuration file di.toml
is optional.
If not provided, the linter will work with default settings.
# Required: The root directory of your project
project-root = "project"
# Optional: Objects to exclude from dependency injection checks
exclude-objects = ["Settings", "DIContainer"]
# Optional: Modules to exclude from dependency injection checks
exclude-modules = ["endpoints.py"]
The linter looks for the configuration file in the following locations:
./di.toml
)You can also specify a custom path to the configuration file using the --config-path
option:
di-linter path/to/project --config-path /path/to/custom/di.toml
The project root is automatically detected by looking for marker files such as:
setup.py
setup.cfg
pyproject.toml
requirements.txt
Or by finding the directory where __init__.py
is no longer present in the parent directory.
The configuration file di.toml
is optional for the flake8 plugin as well.
If not provided, the plugin will work with default settings and follow
the same configuration file search logic as the standalone tool.
Add the following to your flake8 configuration file (e.g., .flake8
, setup.cfg
, or tox.ini
):
[flake8]
select = DI
di-exclude-objects = Settings,DIContainer
di-exclude-modules = endpoints.py
di-config = path/to/di.toml # Optional: custom path to configuration file
You can also specify these options on the command line:
flake8 --select=DI --di-exclude-objects=Settings,DIContainer --di-exclude-modules=endpoints.py --di-config=path/to/di.toml path/to/your/project
The --di-config
option allows you to specify a custom path to the configuration file,
which is useful when you want to use a configuration file that's not in one of the default locations.
You can skip specific lines by adding a comment with # di: skip
:
def myfunc():
repository = UserRepository() # di: skip
Code | Description |
---|---|
DI001 | Dependency injection: Direct usage of project dependencies |
Analyzing: /path/to/project
Project name: project
Exclude objects: []
Exclude modules: []
/path/to/project/module.py:10: Dependency injection: UserRepository()
/path/to/project/module.py:15: Dependency injection: with db_transaction():
/path/to/project/module.py:10:5: DI001 Dependency injection: UserRepository()
/path/to/project/module.py:15:10: DI001 Dependency injection: with db_transaction():
FAQs
Static code analysis for search of dependencies injection
We found that di-linter demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.