docs: TODO.md follow-ups deferred from the 2026-04-10 audit
Captures the lock-file generation work (audit #9) and the core/images.py dead-code cleanup (audit #15) as explicit follow-ups so they don't get lost between branches.
This commit is contained in:
parent
ec781141b3
commit
160db1f12a
23
TODO.md
Normal file
23
TODO.md
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# booru-viewer follow-ups
|
||||||
|
|
||||||
|
Items deferred from the 2026-04-10 security audit remediation that
|
||||||
|
weren't safe or in-scope to fix in the same branch.
|
||||||
|
|
||||||
|
## Dependencies / supply chain
|
||||||
|
|
||||||
|
- **Lock file** (audit #9): runtime deps now have upper bounds in
|
||||||
|
`pyproject.toml`, but there is still no lock file pinning exact
|
||||||
|
versions + hashes. Generating one needs `pip-tools` (or `uv`) as a
|
||||||
|
new dev dependency, which was out of scope for the security branch.
|
||||||
|
Next pass: add `pip-tools` to a `[project.optional-dependencies] dev`
|
||||||
|
extra and commit a `requirements.lock` produced by
|
||||||
|
`pip-compile --generate-hashes`. Hook into CI as a `pip-audit` job.
|
||||||
|
|
||||||
|
## Code quality
|
||||||
|
|
||||||
|
- **Dead code in `core/images.py`** (audit #15): `make_thumbnail` and
|
||||||
|
`image_dimensions` are unreferenced. The library's actual
|
||||||
|
thumbnailing happens in `gui/library.py:312-321` (PIL inline) and
|
||||||
|
`gui/library.py:323-338` (ffmpeg subprocess). Delete the two unused
|
||||||
|
functions next time the file is touched. Out of scope here under
|
||||||
|
the "no refactors" constraint.
|
||||||
Loading…
x
Reference in New Issue
Block a user