Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
| |CI|_
A collection of code quality tools:
A few pylint plugins to check for quality issues pylint misses.
A command-line tool to generate config files like pylintrc from a master file (part of edx_lint), and a repo-specific tweaks file.
The edx_lint
command can generate config files from its own master file. Install
the package using pip
::
$ pip install edx-lint
The write
sub-command will write a config file based on the contents of the
edx_lint master file::
$ edx_lint write pylintrc
The file written contains a hash of its contents, to detect subsequent editing.
edx_lint
will detect this when it next tries to write the file. If editing
is detected, the edited file will be moved aside so it can be compared to the
newly written file.
New potential lint violations will be communicated with a major version bump.
If you run into new lint violations during an upgrade of edx-lint, your options include:
#. Fixing the violations immediately, or
#. Using lint-amnesty
_ and fixing at a later time, or
#. Customizing edx_lint
_ to permanently ignore the violations.
The lint-amnesty
command can be used to squash all existing pylint errors
in a codebase, so that from then the repository can maintain pylint-cleanliness.
Install the package using pip
::
$ pip install edx-lint
The lint-amnesty
command expects pylint errors in the --output-format=parseable
format::
$ pylint my.python.package --output-format=parseable | lint-amnesty
This will add comments for every existing pylint violation that look like::
# pylint: disable=some-error # lint-amnesty
It will also remove any existing suppressions that pylint flags as being useless-suppressions
.
You can customize the resulting pylintrc file by creating a pylintrc_tweaks file in the
current directory before running the write
sub-command. It should contain only the
settings you want to override.
Note: If your project is not a Django project, you'll want to disable the Django plugins with your pylintrc_tweaks file::
[MASTER]
load-plugins = edx_lint.pylint
To run the tests::
$ make requirements
$ make test
To manually test your pylint plugin, create a custom module and run pylint with a selected set of enabled message symbols. For instance::
pylint --load-plugins=edx_lint.pylint --disable=all --enable=feature-toggle-needs-doc path/to/my/custom/module.py
The code in this repository is licensed under Apache 2.0. Please see
LICENSE.txt
for details.
Contributions are very welcome.
Please read How To Contribute <https://github.com/openedx/.github/blob/master/CONTRIBUTING.md>
_ for details.
The Open edX project has resources for developer support on the Getting Help
_ page.
.. _Getting Help: https://open.edx.org/getting-help
.. |CI| image:: https://github.com/openedx/edx-lint/workflows/Python%20CI/badge.svg?branch=master .. _CI: https://github.com/openedx/edx-lint/actions?query=workflow%3A%22Python+CI%22
FAQs
edX-authored pylint checkers
We found that edx-lint demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.