pax 160db1f12a docs: TODO.md follow-ups deferred from the 2026-04-10 audit

Captures the lock-file generation work (audit #9) and the
core/images.py dead-code cleanup (audit #15) as explicit
follow-ups so they don't get lost between branches.

2026-04-11 16:27:55 -05:00

1.0 KiB

Raw Blame History

booru-viewer follow-ups

Items deferred from the 2026-04-10 security audit remediation that weren't safe or in-scope to fix in the same branch.

Dependencies / supply chain

Lock file (audit #9): runtime deps now have upper bounds in pyproject.toml, but there is still no lock file pinning exact versions + hashes. Generating one needs pip-tools (or uv) as a new dev dependency, which was out of scope for the security branch. Next pass: add pip-tools to a [project.optional-dependencies] dev extra and commit a requirements.lock produced by pip-compile --generate-hashes. Hook into CI as a pip-audit job.

Code quality

Dead code in core/images.py (audit #15): make_thumbnail and image_dimensions are unreferenced. The library's actual thumbnailing happens in gui/library.py:312-321 (PIL inline) and gui/library.py:323-338 (ffmpeg subprocess). Delete the two unused functions next time the file is touched. Out of scope here under the "no refactors" constraint.

1.0 KiB Raw Blame History

booru-viewer follow-ups

Dependencies / supply chain

Code quality

1.0 KiB

Raw Blame History