Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
This is a Python tool to support lazy imports.
Likewise, the actual initialization of the module does not occur until usage time
to postpone ModuleNotFoundError
s to the time of the actual usage of the module.
This is useful when using various optional dependencies which might not all be
installed or which have high load times and/or ressource consumption.
This project is maintained by the One Conversation
team of Deutsche Telekom AG.
It is based on
_LazyModule
from HuggingFace and
try_import()
from the Optuna framework.
Many thanks to HuggingFace for
your consent
and to Optuna for
your consent
to publish it as a standalone package 🤗 ♥.
Lazy-Imports is available at the Python Package Index (PyPI). It can be installed with pip:
$ pip install lazy-imports
A good and easy to understand example of how to use Lazy-Imports can be found in the
__init__.py
file of the HPOflow package.
It is printed here:
import sys
from typing import TYPE_CHECKING
from lazy_imports import LazyImporter
from hpoflow.version import __version__
_import_structure = {
"mlflow": [
"normalize_mlflow_entry_name",
"normalize_mlflow_entry_names_in_dict",
"check_repo_is_dirty",
],
"optuna": ["SignificanceRepeatedTrainingPruner"],
"optuna_mlflow": ["OptunaMLflow"],
"optuna_transformers": ["OptunaMLflowCallback"],
"utils": ["func_no_exception_caller"],
}
# Direct imports for type-checking
if TYPE_CHECKING:
from hpoflow.mlflow import ( # noqa: F401
check_repo_is_dirty,
normalize_mlflow_entry_name,
normalize_mlflow_entry_names_in_dict,
)
from hpoflow.optuna import SignificanceRepeatedTrainingPruner # noqa: F401
from hpoflow.optuna_mlflow import OptunaMLflow # noqa: F401
from hpoflow.optuna_transformers import OptunaMLflowCallback # noqa: F401
from hpoflow.utils import func_no_exception_caller # noqa: F401
else:
sys.modules[__name__] = LazyImporter(
__name__,
globals()["__file__"],
_import_structure,
extra_objects={"__version__": __version__},
)
try_import
is a context manager that can wrap imports of optional packages to defer
exceptions. This way you don't have to import the packages every time you call a function,
but you can still import the package at the top of your module. The context manager
defers the exceptions until you actually need to use the package.
You can see an example below:
from lazy_imports import try_import
with try_import() as optional_package_import: # use try_import as a context manager
import optional_package # optional package that might not be installed
# other non optional functions here
def optional_function(): # optional function that uses the optional package
optional_package_import.check() # check if the import was ok or raise a meaningful exception
optional_package.some_external_function() # use the optional package here
The following channels are available for discussions, feedback, and support requests:
This project is built with security and data privacy in mind to ensure your data is safe. We are grateful for security researchers and users reporting a vulnerability to us, first. To ensure that your request is handled in a timely manner and non-disclosure of vulnerabilities can be assured, please follow the below guideline.
Please do not report security vulnerabilities directly on GitHub. GitHub Issues can be publicly seen and therefore would result in a direct disclosure.
Please address questions about data privacy, security concepts, and other media requests to the opensource@telekom.de mailbox.
Our commitment to open source means that we are enabling - in fact encouraging - all interested parties to contribute and become part of our developer community.
Contribution and feedback is encouraged and always welcome. For more information about how to contribute, as well as additional contribution information, see our Contribution Guidelines.
This project has adopted the Contributor Covenant as our code of conduct. Please see the details in our Contributor Covenant Code of Conduct. All contributors must abide by the code of conduct.
Copyright (c) 2021 Philip May, Deutsche Telekom AG
Copyright (c) 2020, 2021 The HuggingFace Team
Copyright (c) 2018 Preferred Networks, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
FAQs
Tool to support lazy imports
We found that lazy-imports demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.