Improve PyPI READMEs for stubs packages #105
Conversation
|
We might want to switch to using jinja for some of the stuff going on in |
stub_uploader/metadata.py
Outdated
| @property | ||
| def upstream_repository(self) -> str | None: | ||
| return self.data.get("upstream_repository") |
There was a problem hiding this comment.
Possibly we could do some validation here. Typeshed already does a bunch of validation checks for this field, though, so maybe it's not necessary.
There was a problem hiding this comment.
A few general notes: Generally the stub_uploader should treat everything coming from typeshed as "tainted" as a precaution against an attacker gaining access to a typeshed maintainer's GitHub account. (This is the reason why we have so few stub_uploader maintainers -> to limit the attack vector. Personally, I consider every typeshed maintainer to be a stub_uploader maintainer, just without the commit rights.) Crashing the uploader is fine, the risk is uploading potentially harmful code under a "types-" name.
That said, an isinstance check and regexp with "safe" markdown chars can't hurt here. The regexp check should probably just print a warning and return None.
There was a problem hiding this comment.
I added a little more validation in 796d2ea. We could add more. Should we return None if .isascii() returns False? If a regex, what regex?
Open to ideas here, not sure how far we should go :)
… use the METADATA.toml version spec
upstream_repositoryfield in a stubs package'sMETADATA.tomlfile.types-requests==2.31.0.8aims to provide accurate annotations forrequests>=2.31.0.