Fix HIGH level code scanning alerts#248
Conversation
…ct in set_style_flags() Agent-Logs-Url: https://github.com/fabiocaccamo/python-fontbro/sessions/87a964b2-9231-4d48-b37e-60ea1e5867e3 Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>
fabiocaccamo
left a comment
fabiocaccamo
left a comment
There was a problem hiding this comment.
Remove font binaries and *.json files changes from this PR.
Agent-Logs-Url: https://github.com/fabiocaccamo/python-fontbro/sessions/cb1adcb7-df88-4f0e-beb7-ca200d1fc3c3 Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>
Done in 4e58681 — the font binaries and JSON files have been reverted to their original state and are no longer part of this PR. |
There was a problem hiding this comment.
Pull request overview
This PR addresses a HIGH severity CodeQL alert (py/modification-of-locals) by removing mutation of the locals() dictionary in Font.set_style_flags(), and includes a few additional repository updates.
Changes:
- Replace
locals()/pop()usage inset_style_flags()with an explicitflagsmapping to avoid the CodeQL alert. - Add
RobotoMono-Regular.ttfunder test fonts for Roboto Mono. - Normalize EOF formatting (newline at end) in
unicode-scripts.jsonandunicode-blocks.json.
Reviewed changes
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
fontbro/font.py |
Stops mutating locals() by explicitly building the style-flags dict used to set font style bits. |
tests/fonts/Roboto_Mono/static/RobotoMono-Regular.ttf |
Adds a missing/static test font asset for Roboto Mono Regular. |
fontbro/data/unicode-scripts.json |
EOF formatting normalization (adds trailing newline). |
fontbro/data/unicode-blocks.json |
EOF formatting normalization (adds trailing newline). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| flags = { | ||
| "regular": regular, | ||
| "bold": bold, | ||
| "italic": italic, | ||
| "underline": underline, | ||
| "outline": outline, | ||
| "shadow": shadow, | ||
| "condensed": condensed, | ||
| "extended": extended, | ||
| } |
There was a problem hiding this comment.
Using an explicit hard-coded flags dict means this method can silently ignore future style-flag parameters if the signature is extended and this dict isn’t updated. To keep behavior in sync with the function parameters while still avoiding the CodeQL py/modification-of-locals alert, consider deriving flags from locals().items() into a new dict (i.e., don’t mutate the locals() result) and filtering out self.
| flags = { | |
| "regular": regular, | |
| "bold": bold, | |
| "italic": italic, | |
| "underline": underline, | |
| "outline": outline, | |
| "shadow": shadow, | |
| "condensed": condensed, | |
| "extended": extended, | |
| } | |
| flags = {key: value for key, value in locals().items() if key != "self"} |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #248 +/- ##
==========================================
- Coverage 99.18% 99.18% -0.01%
==========================================
Files 8 8
Lines 986 985 -1
==========================================
- Hits 978 977 -1
Misses 8 8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Describe your changes
Fixes the HIGH severity CodeQL code scanning alert
py/modification-of-localsinfontbro/font.py.In
set_style_flags(), replaced the pattern:with an explicit dictionary:
Using
locals()to capture function parameters and then mutating the result is flagged by CodeQL as a high-severity anti-pattern (py/modification-of-locals). The explicit dict is semantically equivalent and avoids the warning.All 175 tests pass and CodeQL Security Scan reports 0 alerts found.
Related issue
?
Checklist before requesting a review