From 58cbeec2e46f377e7783f112a95282890b1fa362 Mon Sep 17 00:00:00 2001
From: pax <paxxe@protonmail.com>
Date: Sat, 11 Apr 2026 17:29:13 -0500
Subject: [PATCH] remove TODO.md

Both follow-ups (lock file, dead code in core/images.py) are
resolved or explicitly out of scope. The lock file item was
declined as not worth the dev tooling overhead; the dead code
was just removed in 2186f50.
---
 TODO.md | 23 -----------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 TODO.md

diff --git a/TODO.md b/TODO.md
deleted file mode 100644
index ec28092..0000000
--- a/TODO.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# booru-viewer follow-ups
-
-Items deferred from the 2026-04-10 security audit remediation that
-weren't safe or in-scope to fix in the same branch.
-
-## Dependencies / supply chain
-
-- **Lock file** (audit #9): runtime deps now have upper bounds in
-  `pyproject.toml`, but there is still no lock file pinning exact
-  versions + hashes. Generating one needs `pip-tools` (or `uv`) as a
-  new dev dependency, which was out of scope for the security branch.
-  Next pass: add `pip-tools` to a `[project.optional-dependencies] dev`
-  extra and commit a `requirements.lock` produced by
-  `pip-compile --generate-hashes`. Hook into CI as a `pip-audit` job.
-
-## Code quality
-
-- **Dead code in `core/images.py`** (audit #15): `make_thumbnail` and
-  `image_dimensions` are unreferenced. The library's actual
-  thumbnailing happens in `gui/library.py:312-321` (PIL inline) and
-  `gui/library.py:323-338` (ffmpeg subprocess). Delete the two unused
-  functions next time the file is touched. Out of scope here under
-  the "no refactors" constraint.