remove TODO.md
Both follow-ups (lock file, dead code in core/images.py) are resolved or explicitly out of scope. The lock file item was declined as not worth the dev tooling overhead; the dead code was just removed in 2186f50.
This commit is contained in:
parent
2186f50065
commit
58cbeec2e4
23
TODO.md
23
TODO.md
@ -1,23 +0,0 @@
|
|||||||
# booru-viewer follow-ups
|
|
||||||
|
|
||||||
Items deferred from the 2026-04-10 security audit remediation that
|
|
||||||
weren't safe or in-scope to fix in the same branch.
|
|
||||||
|
|
||||||
## Dependencies / supply chain
|
|
||||||
|
|
||||||
- **Lock file** (audit #9): runtime deps now have upper bounds in
|
|
||||||
`pyproject.toml`, but there is still no lock file pinning exact
|
|
||||||
versions + hashes. Generating one needs `pip-tools` (or `uv`) as a
|
|
||||||
new dev dependency, which was out of scope for the security branch.
|
|
||||||
Next pass: add `pip-tools` to a `[project.optional-dependencies] dev`
|
|
||||||
extra and commit a `requirements.lock` produced by
|
|
||||||
`pip-compile --generate-hashes`. Hook into CI as a `pip-audit` job.
|
|
||||||
|
|
||||||
## Code quality
|
|
||||||
|
|
||||||
- **Dead code in `core/images.py`** (audit #15): `make_thumbnail` and
|
|
||||||
`image_dimensions` are unreferenced. The library's actual
|
|
||||||
thumbnailing happens in `gui/library.py:312-321` (PIL inline) and
|
|
||||||
`gui/library.py:323-338` (ffmpeg subprocess). Delete the two unused
|
|
||||||
functions next time the file is touched. Out of scope here under
|
|
||||||
the "no refactors" constraint.
|
|
||||||
Loading…
x
Reference in New Issue
Block a user